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Preface 


ASIACRYPT 2007 was held in Kuching, Sarawak, Malaysia, during December 
2-6, 2007. This was the 13th ASIACRYPT conference, and was sponsored by the 
International Association for Cryptologic Research (IACR), in cooperation with 
the Information Security Research (iSECURES) Lab of Swinburne University of 
Technology (Sarawak Campus) and the Sarawak Development Institute (SDI), 
and was financially supported by the Sarawak Government. The General Chair 
was Raphael Phan and I had the privilege of serving as the Program Chair. 

The conference received 223 submissions (from which one submission was 
withdrawn). Each paper was reviewed by at least three members of the Program 
Committee, while submissions co-authored by a Program Committee member 
were reviewed by at least five members. (Each PC member could submit at 
most one paper.) Many high-quality papers were submitted, but due to the 
relatively small number which could be accepted, many very good papers had 
to be rejected. After 11 weeks of reviewing, the Program Committee selected 33 
papers for presentation (two papers were merged). The proceedings contain the 
revised versions of the accepted papers. These revised papers were not subject 
to editorial review and the authors bear full responsibility for their contents. 

The Committee selected the following two papers as the best papers: “Crypt- 
analysis of Grindahl” by Thomas Peyrin; and “Faster Addition and Doubling on 
Elliptic Curves” by Daniel J. Bernstein and Tanja Lange. The authors of these 
two papers were invited to submit the full version of their paper to the . 

. The author of the first paper, Thomas Peyrin, received the Best 

Paper Award. 

The conference featured invited lectures by Ran Canetti and Tatsuaki 
Okamoto. Ran Canetti’s paper “Treading the Impossible: A Tour of Set-Up 
Assumptions for Obtaining Universally Composable Security” and Tatsuaki 
Okamoto’s paper “Authenticated Key Exchange and Key Encapsulation in the 
Standard Model” have been included in this volume. 

There are many people who contributed to the success of ASIACRYPT 2007. 
I would like to thank many authors from around the world for submitting their 
papers. I am deeply grateful to the Program Committee for their hard work to 
ensure that each paper received a thorough and fair review. I gratefully acknowl- 
edge the external reviewers listed on the following pages. I am also grateful to 
Arjen Lenstra, Bart Preneel, and Andy Clark for their advice as the directors 
of IACR. Finally, I would like to thank the General Chair, Raphael Phan, for 
organizing the conference and Shai Halevi for developing and maintaining his 
very nice Web Submission and Review System. 
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A Kilobit Special Number Field Sieve 
Factorization 


Kazumaro Aoki 1 , Jens Franke 2 , Thorsten Kleinjung 2 , 
Arjen K. Lenstra 3,4 , and Dag Arne Osvik 3 


1 NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan 
2 University of Bonn, Department of Mathematics, 
Beringstrafie 1, D-53115 Bonn, Germany 
3 EPFL IC LACAL, INJ 330, Station 14, 1015-Lausanne, Switzerland 
4 Alcatel-Lucent Bell Laboratories, Murray Hill, NJ, USA 


Abstract. We describe how we reached a new factoring milestone by 
completing the first special number field sieve factorization of a number 
having more than 1024 bits, namely the Mersenne number 2 1039 — 1. 
Although this factorization is orders of magnitude ‘easier’ than a fac- 
torization of a 1024-bit RSA modulus is believed to be, the methods we 
used to obtain our result shed new light on the feasibility of the latter 
computation. 


1 Introduction 

Proper RSA security evaluation is one of the key tasks of practitioning cryp- 
tologists. This evaluation includes tracking progress in integer factorization. In 
this note we present a long awaited factoring milestone. More importantly, we 
consider to what extent the methods we have developed to obtain our result, and 
which are under constant refinement, may be expected to enable us or others to 
push factoring capabilities even further. 

We have determined the complete factorization of the Mersenne number 
21039 _ | us i n g the special number field sieve integer factorization method 
(SNFS). The factor 5080711 was already known, so we obtained the new fac- 
torization of the composite 1017-bit number (2 1039 - 1)/5080711. The SNFS, 
however, cannot take advantage of the factor 5080711. Therefore, the difficulty 
of our SNFS factoring effort is equivalent to the difficulty of the effort that 
would be required for a 1039-bit number that is very close to a power of two. 
This makes our factorization the first SNFS factorization that reaches the 1024- 
bit milestone. The previous SNFS record was the complete factorization of the 
913-bit number 6 353 - 1 (cf. P). 

Factoring an RSA modulus of comparable size would be several orders of 
magnitude harder. Simply put, this is because RSA moduli require usage of the 
general number field sieve algorithm (NFS), which runs much slower than the 
SNFS on numbers of comparable size. It is even the case that factoring a 768-bit 
RSA modulus would be substantially harder than a 1024-bit ‘special’ one. For 
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that reason we chose to first attempt a 1024-bit SNFS factorization, as presented 
in this paper, before embarking on a much harder 768-bit RSA modulus using 
NFS. We point out that a 768-bit NFS factorization will prove to be more helpful 
than our present 1039-bit SNFS factorization to assess the difficulty of factoring 
a 1024-bit RSA modulus. 

The aspects of our effort where we made most progress, and where our effort 
distinguishes itself most from previous factoring work such as the previous (913- 
bit) SNFS record, apply equally well to NFS as they apply to SNFS. They 
will therefore also have an effect on the assessment of feasibility of NFS-based 
factorizations such as those of RSA moduli. This need for re-assessment is the 
main reason that we feel that our result should be reported in the cryptologic 
literature. For more information on this point see below under ‘Matrix’. 

Descriptions of the SNFS and NFS catering to almost all levels of understand- 
ing are scattered all over the literature and the web (cf. jTTTj 1 . There is no need 
to duplicate any of these previous efforts for the purposes of the present paper. 
Although familiarity with sieving methods is helpful to fully appreciate all de- 
tails, for an adequate understanding of the main points it suffices to know that 
both SNFS and NFS consist of the following major steps (cf. [TT1|). 

Polynomial selection. Decide on polynomials to sieve with. For SNFS this 
does not require any computational effort, for NFS it pays off to spend a 
considerable effort to find ‘good’ polynomials. Since we factored 2 1039 — 1 
using the SNFS our choice was easy and is reported in Section 0 
Sieving. For appropriately chosen parameters, perform the sieving step to find 
sufficiently many relations. Though finding enough relations is the major 
computational task, it can be done in embarrassingly parallel fashion. All 
relevant data for our effort are reported in Section 0 
Filtering. Filter the relations to produce a matrix. See Section 0 for the effort 
involved in our case. 

Matrix. Find linear dependencies modulo 2 among the rows of the matrix. In 
theory, and asymptotically, this requires an effort comparable to the sieving 
step. For numbers in our current range of interest, however, the amount of 
computing time required for the matrix step is a fraction of the time re- 
quired for the sieving step. Nevertheless, and to some possibly surprisingly, 
the matrix step normally constitutes the bottleneck of large factorization 
efforts. This is caused by the fact that it does not seem to allow the same 
level of parallelization as the sieving step. So far, the matrix step has, by 
necessity, been carried out at a single location and requires many weeks, if 
not months, of dedicated computing time on a tightly coupled full cluster 
(typically consisting of on the order of a hundred compute nodes). Conse- 
quently, our matrix-handling capabilities were limited by accessibility and 
availability of large single clusters. 

The major point where our effort distinguishes itself from previous work is 
that we did the matrix step in parallel as four . . . jobs on different 

clusters at various locations. This was made possible by using Coppersmith’s 
block Wiedemann algorithm 0 instead of the block Lanczos method 0. 


A Kilobit Special Number Field Sieve Factorization 


Further work and fine-tuning in this area can have a major impact on what 
can realistically be achieved, matrix-wise, and therefore factoring-wise: as 
implied by what was mentioned before, the effort required for the sieving step 
is not what practically limited our factoring capabilities, it was limited by 
the matrix step. The details of the new matrix step are reported in Section^ 
Square root. For each dependency in turn a square root calculation in a cer- 
tain number field is performed, until the factorization is found (which hap- 
pens for each dependency with probability >1/2, independent of the other 
dependencies). The details, and the resulting factorization, are reported in 
Section El 

Sections 01 through El with contents related to our factorization of 2 1039 1 as 

indicated above, are followed by a discussion of the wider consequences of our 
approach in Section 0 Furthermore, in Section |2| we describe how the number 
21039 _ i was se i ec t e d as the target number for our kilobit SNFS attempt. 

Throughout this paper M and G denote 10 6 and 10 9 , respectively, and loga- 
rithms are natural. 

2 Selecting a Kilobit SNFS Target Number 

Once the decision had been reached to attempt a kilobit SNFS factorization by a 
joint effort, it remained to find a suitable target number to factor. In this section 
we describe the process that led to our choice of 2 1039 — 1. 

Regular RSA moduli were ruled out, since in general they will not have the 
special form required for SNFS. Special form numbers, however, are not espe- 
cially concocted to have two factors of approximately the same size, and have 
factors of a priori unknown sizes. In particular, they may have factors that could 
relatively easily be found using factoring methods different from SNFS, such 
as Pollard’s p — 1 or p method, or the elliptic curve method (ECM, cf. 113). 
Thus, for all kilobit special form numbers under consideration, we first spent a 
considerable ECM effort to increase our confidence that the number we would 
eventually settle for would not turn out to have an undesirably small factor, i.e., 
a factor that could have been found easier using, for instance, ECM. 

Of the candidates that we tried, a 304-digit factor of 10 371 — 1 turned out 
to have a 50-digit prime factor (found by ECM after 2,652 curves with first 
phase bound 43 M), for a 306-digit factor of the number known as 2,2062M a 
47-digit factor was found (by ECM, after 4,094 curves with the same bound), 
for a 307-digit factor of 2,2038M a 49-digit factor was found (ECM with 5,490 
curves and same bound), and 10 311 — 1 was similarly ruled out after ECM found a 
64-digit factor (11,214 curves with 850M as first phase bound and corresponding 
GMP-ECM 6.0 default second phase bound 12,530G, cf. j2|). 

The 307-digit number (2 1039 — 1) /50 8 0711 withstood all our ECM efforts: 1,472 
curves with first and second phase bounds 850M and 12.530G, respectively, and 
256,599 curves with bounds 1,100M and 2,480G, failed to turn up a factor. 
This calculation was carried out on idle PCs at NTT. It would have required 
more than 125 years on a single Opteron 2.2GHz with 4GB RAM. Based on 
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the number of curves and the bounds used, it is estimated that a 65-digit factor 
would be missed with probability about 3.4%, a 70-digit one with probability 
53.2%, and an 80-digit factor with probability 98.2%. Given the ECM failure and 
the substantial effort spent on it, we settled for the 307-digit factor of 2 1039 — 1 
for our kilobit SNFS factorization attempt. 

The software used for the ECM attempt was GMP-ECM 6.0 [HI! and Prime95 
24.14 D2| on a variety of platforms. 

3 Parameter Selection and Sieving 

In this section we present the polynomials that we used for the SNFS factoriza- 
tion of 2 1039 — 1 and give a superficial description of the sieving step. 

With 1039 = 1 + 6 • 173 it follows that the polynomials g(X) = X — 2 173 and 
f(X) = 2X 6 — 1 have the root 2 173 in common modulo 2 1039 — 1. As customary, 
everything related to g(X) is referred to as the ‘rational side’, as opposed to the 
‘algebraic side’ for f(X). In the sieving step we find sufficiently many relations: 
coprime integers a , b with b > 0 such that both norms bg(a/b) = a — 2 173 6 
and b 6 f(a/b ) = 2a 6 — b 6 have only small prime factors. Here ‘sufficiently many’ 
depends on the meaning of ‘small’. What we deem to be ‘small’ depends in the 
first place on the memory sizes of the machines used for sieving and on the 
matrix size that we should be aiming for given what matrix size we think we can 
handle. This means that ‘small’ cannot be too large. In the second place, the 
expected time until we have enough relations should be acceptable too, which 
implies that ‘small’ cannot be too small either. The choice made always involves 
this trade-off and is given below. The theoretical justification, and parameter 
choice, can be found in the NFS literature (cf. JEj|). 

To find relations we used so-called special q’ s on the rational side combined 
with lattice sieving: primes q dividing bg(a/b), such that each q leads to an index 
q sublattice L q of Z 2 . Most of the 40M special q’s between 123 M and 911M 
were used (though the results of some small regions of q's were for organizational 
reasons not included in the later steps). For most special q's the rectangular 
region of size 2 16 x 2 15 in the upper half plane of L q was sieved via lattice sieving. 
For the special q's smaller than 300 M this was done with factor bases consisting 
of all (prime, root) pairs for all primes up to 300M on the algebraic side and all 
primes < 0.9 q on the rational side, but up to 300M on both sides for the special 
q's larger than 300 M. Running our lattice siever with these parameters required 
approximately 1GB RAM, which was available on most machines we were using. 
A small fraction of the special q's was used on machines with smaller amounts 
of memory with factor base bounds of 120M on both sides. Large primes (i.e., 
factors beyond the factor base bounds) up to 2 38 were accepted on both sides, 
without trying hard to find anything larger than 2 36 and casting aside cofactors 
larger than 2 105 . Also, cofactor pairs were not considered for which the quotient 
of the probability of obtaining a relation and the time spent on factoring was 
below a certain threshold, as described in (3)- 


A Kilobit Special Number Field Sieve Factorization 


After a period of about 6 months, at first using PCs and clusters at NTT and 
the University of Bonn, but later joined by clusters at EPFL, we had collected 
16,570,808,010 relations. Of these relations, 84.1% were found at NTT, 8.3% 
at EPFL, and 7.6% at the University of Bonn. The total CPU time would be 95 
years when scaled to a 3GHz (dual core) Pentium D, or about 100 years on a 
2.2GHz Athlon64/Opteron. This boils to 190 Pentium D core years and to about 
2.5 relations per seconds per core. The relations required more than a terabyte 
of diskspace, with copies held at NTT, EPFL, and the University of Bonn. 

We used the sieving software from 0 . 

4 Filtering 

Because of the special q’s the raw data as produced by the sieving step will con- 
tain a considerable number of duplicates. Before doing the complete sieving step 
we had estimated the number of duplicates as follows. We did lattice sieving for a 
tiny fraction, say j, of special q’s, uniformly distributed over the special q range 
that we roughly expected to process. For each relation r (corresponding to (a, b )) 
obtained in this way, we computed how often it will be generated in the sieving 
step. Denote this number by /z(r). In an ideal situation p(r) can be calculated 
as follows. First, one checks for each prime in the factorization of bg(^) whether 
it is in the special q range, i.e., whether it is a potential special q producing this 
relation. Secondly, for each such potential special q one checks whether the point 
(a, b ) would be in the sieving region for this special q, and if it passed this test, 
whether the cofactor bounds are kept. Since a lot of approximations are made 
in the sieving process, the true p(r) might be a bit smaller. 

The expected number of relations for the complete special q range is t 1 ■ 
and the estimated number of unique relations is JITFj- Note that by possibly 
overestimating /i[r) we underestimate the number of unique relations. Doing 
this calculation for 99 of the special q's and the sieving parameters that we 
actually used, we expected that slightly more than one sixth (16.73%) of the 
relations found would be duplicates. It turned out that just a little less than 
one sixth of the relations (namely 2,748,064,961 for 16.58%) were identified as 
duplicates. This resulted in a uniqued set of 13, 822, 743, 049 relations. Identifying 
and removing the duplicates took less than ten days on two 2GHz Opterons with 
4GB RAM each. 

Next the singletons were removed: these are relations in which a prime or 
(prime, root) pair occurs that does not occur in any other relation. This step is 
combined with the search for cliques, i.e., combinations of the relations where 
the large primes match up, as fully described in 0j . This took less than 4 days 
on single cores of 113 3GHz Pentium D processors. Finally, the same hardware 
was used for 69 horns for a final filtering step that produced a 66,718,354 x 
66, 718, 154 matrix of total weight 9, 538, 688, 635. 

Overall the CPU time required to produce the matrix from the raw relations 
was less than 2 years on a 3GHz Pentium D. It was completed in less than a 
week, since most of the uniqueing was done during the sieving. 
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As usual we did some ‘over-sieving’, i.e., a smaller number of relations suf- 
ficed to produce an over-square, but harder to solve, matrix. More specifically, 
at 14.32G relations (of which 12.34G were unique) we found an 82,848,491 X 
82, 848, 291 matrix of weight 10, 003, 376, 265, but this matrix was obtained using 
suboptimal settings and the relations involving 38-bit primes were not used. At 
15.61G relations (13.22G unique), using better settings and all relations found, 
we obtained a 71, 573, 531 x 71, 773, 331 matrix of weight 9, 681, 804, 348. We do 
not know at which point precisely we had enough relations to build a matrix. 
But from our figures it follows that, since 2 * 2 38 /log(2 38 ) « 20.9G, finding 
0.68 * 2 * 7t(2 38 ) (non-uniqued) relations sufficed to construct a matrix. This low 
value 0.68 compared to previous efforts is due to the relatively large bound 2 38 
on the large primes. 

5 The Matrix Step 

In the matrix step linear dependencies modulo 2 among the rows of the 
66,718,354 x 66,718,154 matrix were sought. This was done using the block 
Wiedemann algorithm with block length 4 times 64. The details of this algo- 
rithm are described in Section 15.11 below. It resulted in 50 dependencies which 
gave, after quadratic characters tests, 47 useful solutions. A partial explanation 
of why we got only 50 dependencies as opposed to the expected 200 ones can be 
found in Sectional 

The major part of the calculation (the matrixxvector multiplies, cf. steps 2 
and 4 in Section Ol below) was carried out in parallel on a cluster of 110 3GHz 
Pentium D processors (with 2 cores per processor) at NTT and a cluster of 96 
2.66 GHz Dual Core2Duo processors (with 4 cores per node) at EPFL. On the 
latter cluster one or two jobs were run on a varying number of the 96 processors. 
Scaled to the processors involved, the entire computation would have required 
59 days on the Pentium cluster, which is 35 Pentium D core years, or 162 days 
on 32 nodes of the other cluster, i.e., 56 Dual Core2Duo core years. It should be 
noted that each of two parallel jobs running on the Pentium D cluster ran about 
1.5 times slower than a single job, whereas the load was about 1. This seems to 
indicate that the same wall-clock time can be achieved on a cluster of 110 single 
core 3GHz Pentium Prescott processors on a similar network. The relatively poor 
performance of the cluster at EPFL is probably caused by the fact that the four 
cores per Dual Core2Duo node share a single network connection. The cluster 
at NTT has torus topology and the nodes are connected with gigabit ether net. 
Transferring intermediate data between NTT and EPFL took about half a day 
over the Internet. 

The computation took place over a period of 69 days, due to several periods 
of inactivity caused by a variety of circumstances. In principle it could have been 
done in less than 59 days: if we would have done everything at NTT under ideal 
conditions (no inactivity), it would take 59 days, but if we would have used both 
clusters under ideal conditions it should take less time. The software we used for 
the matrix step was written by the second and third author. 
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A relatively minor step of the calculation (the Berlekamp-Massey step, cf. 
step 3 in Section EO] below) took 8 hours on 64 cores at the University of Bonn. 
On 72 cores at EPFL it took a bit less than 7 hours. 

5.1 The Block Wiedemann Algorithm 

We give a brief description of the block Wiedemann algorithm (see [Zj, and 
for the Berlekamp-Massey algorithm [El). Let B be a d X d matrix over F 2 . 
The block Wiedemann algorithm depends on two parameters m,n £ N and 
heuristically finds n solutions of Bv = 0. For our matrix d = 66, 178, 354 and we 
used m = 512 = 64-8 and n = 256 = 64-4. It consists of the following five steps 
(suppressing some technical details): 

1. Random vectors xi,...,x m and z\,...,z n are chosen and yi = Bzi for l = 
1 .... .n are computed. It is possible to choose Xi as unit vectors to simplify 
the next step. 

2. For i = 1, . . . , ^ + ^ + 0(1) the scalar products aj% = ( Xk , B l yi) are com- 
puted. We used i < 393,216. Denote the polynomial 

£ 4 ^ 

of n x m matrices over F 2 by A. 

3. (Berlekamp-Massey step) In this step a polynomial F of n X n matrices is 
constructed such that 

FA = G + t c E 

holds with deg(F),deg(G) < ^ + 0(1) and c = ^ ^ + 0(1). For us the 

values were approximately deg(F) = deg(G) = 260,600 and c = 391,000. 
Writing F = f\k P this is equivalent to the orthogonality of the n 

vectors 

£ fik B deg ^ j V k (1 <l<n) 

to the vectors ( B T ) z Xk , 0<i<^, l<fc<m. 

4. For k, l = 1, . . . , n the vectors vik = Yhj fik B^^-i are computed. 

5. With high probability B ■ = 0 holds for l = 1, . . . , n. The vectors 

v i = Ufc for which this holds are output as solutions. 

For the complexity analysis the first and the last step can be neglected. The 
second and the fourth step require (1 + ^ )d+ 0(1) resp. d+ 0(1) matrix vector 
multiplications. If the vectors Xi are chosen as unit vectors the scalar product 
calculations in the second step become trivial. In the fourth step additional 
computations are required, equivalent to n 2 d additions in F 2 . These can be 
neglected as long as n is much smaller than the square root of the weight of 
B (which we can assume). In both steps we have to store the matrix B and 
two auxiliary vectors for doing the multiplications. Additionally, in step four n 
vectors need to be stored. 
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For the Berlekamp-Massey step we used the sub-quadratic algorithm from |T7sl 
with FFT for polynomial multiplication. Its complexity is 0(^^—d 1+o ^) and 
its space requirement is Q( ( m +") 

For small m and n most of the time is spent in steps 2 and 4. The total 
number of matrix vector multiplications, namely (2 + ^)d, will be minimal for 
m — > oo. So, n being chosen, m should be chosen as large as possible such 
that the Berlekamp-Massey step does not dominate the run time resp. space 
requirements. 

The computations in steps 2 and 4 can be parallelized in several ways. First, 
the calculation of B l yi can be done simultaneously for different l. These compu- 
tations are completely independent. Notice that for current computers there is 
almost no difference in doing one or, e.g., 64 such computations. So, we might 
set n = 64n' and do the computations on «' independent computers or clusters 
thereof. We used n' = 4 and ran the 4 computations on two clusters, sometimes 2 
jobs in parallel per cluster. This ability to spread the computation across differ- 
ent clusters is the crucial difference between our block Wiedemann approach and 
many previous factoring efforts that relied on the block Lanczos method j6H3j . 
Unlike block Wiedemann, block Lanczos does not allow this type of indepen- 
dent distribution, roughly speaking because it requires the inversion of an n X n 
matrix modulo 2 per iteration, which would obviously lead to considerable com- 
munication and synchronization issues when run at different locations. 

Second, the calculation of Bv for a vector v can be parallelized. As opposed 
to the above, this requires a lot of communication. More precisely, for a cluster 
with m x ri 2 nodes in a torus topology the communication required for one 
multiplication is approximately ^ per node. When n\ and n% are chosen 
approximately equal, the communication costs deteriorate as the square root 
y/n-i ri 2 of the number of participating nodes. At NTT we mostly used riy = 11 
and ri 2 = 10. At EPFL we used 8 X 8 on 64 cores (sometimes two simultaneous 
jobs totalling 128 cores, i.e., 32 processors), 10 x 8 on 80 cores, and 12 x 12 on 
144. Lower numbers of cores were noticeably more efficient per core: when going 
from 64 to 144 cores we did not get a speed-up of more than 100% (as one would 
hope for when increasing the number of cores by more than 100%), but only a 
speed-up of approximately 50%. Roughly, in steps 2 and 4, a third of the time 
was spend on computation and two-thirds on communication. 

A wider collaboration would lead to a larger v! and thus larger n and m. 
Given currently available hardware and the fact that we used a little more than 
128GB of memory to run the Berlekamp-Massey step with our parameters, it 
might be possible to increase m and n by a factor 4. This would increase the run 
time by a factor 16. Given our 8 hours on 64 cores, this would result in slightly 
more than 5 days on existing hardware, which is feasible. Unless a much bigger 
cluster is used, increasing m and n by larger amounts seems to be difficult at 
the moment. 

Finally, we mention a promising idea that we have experimented with. If 
approximately the same amounts of time are spent on computation and com- 
munication, it is possible to run two different jobs simultaneously on a single 
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cluster, in such a way that one job is computing while the other is communicat- 
ing, and vice versa. If run as independent — but intertwined — jobs (as we did), 
this approach requires the matrix to be stored twice. Combining the two chunks 
in a single job in such a way that they have non-overlapping computational and 
communication needs would require the matrix to be stored just once. 

5.2 Only 50 Dependencies 

As mentioned above, we expected to find 200 dependencies but found only 50. 
Two independent oversights contributed to this phenomenon, but as far as we 
currently understand still fail to fully explain it. 

In the first place an error was uncovered in the selection of the zi vectors (cf. 
Step 1 of the algorithm in Section 15. ID that has a large effect on the number of 
solutions one may expect to find and that depends on the cluster configuration 
one is using. In our case this led to a reduction of the dimension of the solution 
space from 200 to about 34. 

Secondly, after close inspection of the input matrix it was found that it con- 
tains 37 duplicate rows. Due to the peculiar way their arrangement interacts with 
the other error, this leads to 54 expected dependencies. Both these problems are 
easily avoided during future computations. 

6 The Square Root Step 

Each independent solution has a chance of at least 50% to lead to a factorization. 
The main calculation per solution involves the computation of a square root 
of a huge algebraic number that factors into small prime ideals whose norms 
are known. To calculate this square root we used Montgomery’s square root 
method m as described in [15! and implemented by Friedrich Bahr as part 
of his diploma thesis (cf. |3| ) - The first three solutions all led to the trivial 
factorization, the fourth one produced the following 80-digit prime factor 

55853666619936291260749204658315944968646527018488637648010052346319853288374753 
with prime 227-digit cofactor 

20758181946442382764570481370359469516293970800739520988120838703792729090324679 
38234314388414483488253405334476911222302815832769652537609141018910524199389933 
4109711624358962065972167481161749004803659735573409253205425523689 
thereby completing the factorization of 2 1039 — 1. 

Preparing the data for 4 solutions simultaneously took 2 horns, and processing 
thereafter took 1.8 hours per solution, all run times on a 2.2GHz Opteron. 

Note that our attempt to select a special number with a large smallest factor 
was only partially successful: with more luck we would have found the 80-digit 
factor using ECM. To some this result is somewhat disappointing, because an 
80-digit factor is considered to be ‘small’ given the size of the 307-digit compos- 
ite (2 1039 - 1)/5080711 that we factored. Note, however, that the factor-size is 
irrelevant for our result. Also, as may be infered from the figures presented in 
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Section 0 one may expect to spend much more computing time to find this factor 
using ECM than we spent on SNFS: we estimate it would require about a mil- 
lion curves with first phase bound 8 G, at a cost of several thousand CPU years 
and ignoring the very substantial memory demands for the second phase (much 
more than 4GB RAM). If (2 1039 — 1)/5080711 would have had a 70-digit factor, 
we would have been quite unlucky, a 60-digit factor we should have caught with 
ECM and we would most likely have selected another ‘special’ number to factor. 

7 Discussion 

As far as we are aware our factorization is the first kilobit factorization achieved 
using the special number field sieve. It must be stressed, and was already pointed 
out in the introduction, that our work does not imply that 1024-bit RSA moduli 
can now be factored by a comparable effort. Quite on the contrary, according to 
all information available to us, and as far as we know to anyone else in the open 
community, factoring a 1024-bit RSA modulus is still beyond the capabilities of 
anyone with resources a few orders of magnitude larger than ours. We estimate 
that the effort we spent would suffice to factor a 700-bit RSA modulus. 

Nevertheless, our work showed that one major hurdle is not as unsurmountable 
as some thought it would be: unlike previous efforts we managed to distribute the 
major computation of the matrix step into 4 chunks whose completion did not 
require any interaction. It required a huge data exchange among our three loca- 
tions. This was enabled by the advancement of the Internet, allowing relatively 
efficient, economical, and convenient communication among geographically dis- 
persed locations at speeds up to about lOOmegabits per second. It remains a 
subject of further research how the adverse effects of wider parallelization can 
be addressed and how substantially larger chunks could be handled per location. 
But, the beginning is there, and without any doubt our work will inspire further 
work in this area and lead to more and better results. 

Until our work there were two major factoring milestones on our way to 1024- 
bit RSA moduli. One of these milestones, a kilobit SNFS factorization, is now be- 
hind us. The next one, and the only remaining major milestone before we would 
face 1024-bit RSA moduli, is the factorization of a 768-bit RSA modulus. We 
have no doubt that 768-bit RSA moduli are firmly within our reach, both as far as 
sieving effort and size of the matrix problem are concerned. If it would indeed be 
reached, as is now safe to predict, factoring a 1024-bit RSA modulus would begin 
to dawn on the horizon of what is practically possible for the open community. 

It is unclear how long it will take to get there. But given the progress we keep 
making, and given that we consistently keep reaching our factoring milestones, 
it would be unwise to have much faith in the security of 1024-bit RSA moduli 
for more than a few years to come. To illustrate, substantiate, and quantify this 
remark, note that the first published factorization of a 512-bit RSA modulus is 
less than a decade ago (cf. 0 ) and that 

T(1024) 1 T(768) 

T(768) < 5 X T(512) ’ 
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where 

T(b) = exp(1.9231n(2 6 ) 1 / 3 (ln(ln(2 6 ))) 2 / 3 ) 

is a rough growth rate estimate for the run time of NFS when applied to a 6-bit 
RSA modulus (cf. [H]). A more precise estimate, involving the o(l) which we 
omitted in T(6), would result in a value that is even smaller than A This means 
that by the time we manage to factor a 768-bit RSA modulus — something we 
are convinced we are able to pull off — the relative effort of factoring a 1024-bit 
RSA modulus will look at least 5 times easier than the relative effort of factoring 
a 768-bit RSA modulus compared to a 512-bit one. As a final remark we note 
that since 1989 we have seen no major progress in factoring algorithms that can 
be run on existing hardware, but just a constant stream of refinements. There 
is every reason to expect that this type of progress will continue. 
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Abstract. We show that computing e-th roots modulo n is easier than 
factoring n with currently known methods, given sub exponential access 
to an oracle outputting the roots of numbers of the form Xi + c. 

Here c is fixed and Xi denotes small integers of the attacker’s choosing. 

The attack comes in two flavors: 

— A first version is illustrated here by producing selective roots of the 
form Xi + c in L„(|, \f^)- This matches the special number field 
sieve’s (snfs) complexity. 

— A second variant computes arbitrary e-th roots in L n {jj, 7) after a 
subexponential number of oracle queries. The constant 7 depends on 
the type of oracle used. 

This addresses in particular the One More RSA Inversion problem, 
where the e-th root oracle is not restricted to numbers of a special 
form. The aforementioned constant 7 is then 
Constraining the oracle to roots of the 
increases 7. 

Both methods are faster than factoring 

(Mi 0 ))- 

This sheds additional light on rsa’s malleability in general and on 
RSA’s resistance to affine forgeries in particular - a problem known to be 
polynomial for xi > fyn, but for which no algorithm faster than factor- 
ing was known before this work. 

Keywords: RSA, factoring, NFS, roots. 


form $ Xi + c mod n 
n using the GNFS 


1 Introduction 

The RSA cryptosystem m is commonly used for providing privacy and authen- 
ticity of digital data. A very common historical practice for signing with RSA 

* Work partially supported by dga research grant 05.34.058. 
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was to first hash the message, add a padding pattern c and then raise the result 
to the power of the decryption exponent. This paradigm is the basis of numerous 
standards such as pkcs# 1 vl.5 |T%| . 

Let n and e denote usual RSA public parameters (with [log 2 n] = A £]. 

In this paper we explore RSA signatures with a fixed c but without the hash 
function, i.e. modular roots of the form: 


We call such numbers affine modular roots (amrs). 

A thread of publications fl 51711 011 41411 3| stretching over a decade progres- 
sively established that given access to an AMR-oracle, new amrs could be forged 
in polynomial complexity for x > y/n. 

No strategies faster than factoring n are known for x < \fn - a case tackled 
here at the cost of subexponential complexity. The main novelty in this paper is 
that, while subexponential, our method forges new AMRs for arbitrarily small x 
(down to x < \fn, Ve > 0) faster than factoring n. 

Moreover, we show that access to an e-th root oracle (in particular, an AMR- 
oracle) even allows to compute arbitrary e-th roots faster than factoring n. Here, 
the arbitrary e-th root to be computed is not known before all oracle queries 
have been completed. 

We achieve this by tweaking the quadratic sieve (qs) and the number field 
sieve (nfs) factoring algorithms. 

The Results. Denoting L n (a,c) = exp ^c(l + o(l)) (logn)“ (loglogn) 1-0 ^, 
we show that: 

— Using a QS-like algorithm, new amrs can be computed in Lb ( 5 , 1) instead 
of the L„(|, 1) required for QS-factoring n. 

— Using an NFS-like approach, we selectively produce new amrs in L„(|, \J^)- 

This matches the special number field sieve’s (snfs) complexity which is 
substantially lower than the L n (- 1, \J^-) required to GNFS-factor n. 

Our experimental results for N = 512 and a recent SNFS-factoring recorc0, 
clearly underline the insecurity of affine-padding RSA. 

— We present a procedure for computing arbitrary e-th roots in L n ( 1 , ~ 

1.53), requiring a general (not only AMR) e-th root oracle. 

A more practical variant with a slightly higher complexity L„(|, 1.58) was 
used in the experiments reported in this paper. 

— Finally, a last variant allows the computation of arbitrary e-th roots given 
access to an AMR-oracle with complexity L n (|, v^b). To date, we could not 
make this variant practical. 

1 Throughout this paper, we will frequently denote by |a:| the bitlength of x. 

2 P, factoring a 1039-bit number using ~ 95 Pentium-D-years at 3 GHz. 
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Our algorithms rely on an extension of Montgomery’s square root algorithm 
for the number field sieve ESI- If one avoids this algorithm, alternative variants 
exist with claim a higher complexity ( L n ( y^§)). 


2 The Strategy - A General Outline 

For the sake of simplicity assume that \x\ = ^ (generalization to smaller x sizes 
is straightforward). We start by writing c, as a modular ratic{§ 

c = y mod n where lal = (1 — s)N and 161 = sN 
b 

for some 0 < s < 1 that will be determined later. 

Noting that c+x = mod n, it is easy to derive an index calculus attach 
as in iS)[j on numbers of the form a + xb, that we expect to be smooth with 
respect to some factor base B. We can ascertain that a + xb is partially smooth 
by applying a special-# strategy. Two options are possible: Either choose different 
partial products of size ^ of primes belonging to B (denote these partial products 
Ui ) and sieve on x t values such that x t = —c mod Ui or, select as special-# 
primes of size y- and use them as the Ui in the first option. From an asymptotic 
standpoint, the two approaches are equivalent. In practice, the first approach can 
produce any given equation more than once and thus require extra bookkeeping. 
As for the second approach, each special-g requires one extra equation to cancel 
out, thereby resulting in a larger system of equations. 

It remains to optimize s. To maximize the smoothness odds of a + xb we 
require that |a| = \xb\ hence: 


N N 

(1 - s)N = |a| = \xb\ = |*| + |6| = — + |6| = — + sN 


3 

8 


In other words, we need to find multiplicative relations between numbers of 
size ^ divisible, by construction, by smooth factors of size y-. All in all this 
amounts to chasing smooth numbers of size ^ which is easier than QS-factoring 
n (identical task for numbers of size ^ = ^). 

More generally, when a: is an j bit number, the job boils-down to finding 
smooth numbers of size i.e. QS-factoring N ( t ~ 1 '> bit RSA moduli. 

Hence, the presented strategy approaches the QS’s complexity as t grows, while 
remaining below the QS’s complexity curvc@. 

3 E.g. Using a continued fraction algorithm. 

4 Treat b as an extra element of the factor base, together with the primes in the basis 
to account for the denominator in the equations. 

5 In |S| the signing oracle is used to compute e-th roots whose combination allows to 
compute new e-th roots of factor-base elements. 

6 To sieve, it suffices to set Xi = — c mod u t and consider successively a(x t + jui) + b 
for j = 1.2,... (note that this will pollute a logarithmic number of bits in c). 
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Given that the quadratic-sieve is not the fastest factoring strategy for usual- 
size RSA moduli, the extension of the above strategy to the NFS is a natural 
question (that this paper answers positively). 

NFS algorithms work by exhibiting relations between objects in two different 
“worlds”. In some cases, we have a single number field and consider relations 
between integers and elements in that field. In other cases, there are two number 
fields. Nonetheless, with both approaches, there are two sides to consider. In this 
paper, the AMR-oracle is going to replace one of the two sides. Consequently, 
our setting is that of a single-sided NFS. This turns out to greatly improve the 
smoothness probability and hence the algorithm’s efficiency. 

We start by selecting a parameter d and finding a polynomial / of degree 
d having sufficiently small coefficients such that /(c) = 0 mod n. Without loss 
of generality, we may assume that / is irreducible over Q. Indeed, if / = f\ x 
/ 2 , either gcd(/i (c),n) is a non-trivial factor of n, or we can use the (smaller) 
polynomial /i instead of /. 

Once / is chosen, we construct the number field K = Q[a] where a is a 
root of / over (Q). We now proceed as in the NFS and given integers x, we 
construct elements a + x £ Q[a] with smooth norm over some factor base 
B. We recall that the norm of a + x is the absolute value of f(—x). Note a 
major difference with NFS-factoring: indeed, we only need to smooth a single 
a + x for each candidate x as there is no second (or rational) side to smooth 
in addition. Instead, the second side is given for free by the AMR-oracle for 
the number corresponding to a + x, i.e. for c+x. When the norm is smooth, 
we can decompose a + x into a product of ideals of small norm in the ring 
of integers Ok of K = Q[a|. 

Once enough smooth elements are found, we write them down as rows in a 
matrix where each row contains the valuation of the corresponding a+x at each 
prime ideal occurring in its decomposition. We also add to each row enough 
character maps in order to account for the existence of units in the number 
field. 

Then, using a sparse linear algebra algorithm, we find a linear combination of 
rows equal to zero modulo e. This allows us to write an e-th power in Q[a] as a 
product of a + Xi. 

The final step computes the actual e-th root of this e-th power. This yields 
a multiplicative relation between amrs corresponding to the a + Xi used in the 
relation. Thus, querying all these values but one yields a new amr for the missing 
value. The e-th root can be computed in a way very similar to the nfs’ square 
root computation phase. 

Alternatively, the final step can be replaced by a more involved strategy. 
Namely, combining the e-th root computation with a descent procedure very 
similar to the individual logarithm step of discrete logarithm computations with 
the nfs. This enables the calculation of e-th roots of arbitrary values, i.e. not 
restricted to the form c+x, by making a small number of additional queries of 
the restricted form c+x. This option is presented in Section 0 
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3 A Detailed Step-by-Step Description 

3.1 Polynomial Construction 

Given a target degree d we first need to construct a polynomial / irreducible 
over Q. / will then be used to define the number field K = Q [a] . The two 
important constraints on / are that its coefficients should be small and that we 
must have /(c) = 0 mod n. Since we want to minimize the average norm f(—x) 
of numbers a + x, it is a good idea to use a skewed polynomial. More precisely, 
assume that B bounds the absolute value of x, then we want to choose a bound 
C such that the coefficient of degree i in f has absolute value smaller than jfj. 
Assuming that _B d ( d + 1 ) < n, we choose C = d+ ^/nB d ^ and the polynomial 
/ can be constructed by reducing the lattice generated by the columns of the 
\d + 1) x (d + 1) matrix 

/A ■ ■ ■ Ac d An\ 

L _ ^ 0 ° 

\ 0 B d 0 / 

where A is a sufficiently large constant to guarantee that any short vector in 
the lattice has zero in its first coordinate. Such a short vector can be easily 
interpreted as a polynomial by reading the coefficient of x 1 in row i + 2 (the 
coefficient should be re- normalized by a division by B l ). This polynomial clearly 
has c as a root modulo n. Moreover, when evaluating the polynomial at x smaller 
than B (in absolute value) we see that each term is bounded by the corresponding 
value in the initial short vector. 

Since the determinant of L is n £? d ( d + 1 )/ 2 , we expect short-vector coefficients 
to be of size 

C= d+ ^,Bi2i 


3.2 Sieving 

Prom a sieving standpoint, there is an essential difference between our algorithm 
and the NFS. Indeed, our sieving has a single degree of freedom instead of two. 
More precisely, instead of scanning numbers of the form aa+b for a fixed a and 
arbitrary pairs of small {a, b}, we need to examine numbers of the form a + x. 

Luckily, the bound on x is large enough to compensate the absence of the sec- 
ond degree of freedom but this restricts our sieving technique options. Indeed, we 
cannot use a lattice sieve strategy and have to rely instead on a straightforward 
sieve-by-line algorithm. To avoid using large numbers while sieving over x , we 
used a special-^ approach: for each special-^ prime ideal (q. a — r ) , we considered 
the algebraic integers a + ( qx — r), with x G [— +|j. 

7 This is necessary to avoid finding zero for high degree coefficients; of course, where 
necessary, we can always lower B in this construction and sieve over a smaller x 
range (as long as enough equations are found.). 
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3.3 Linear Algebra and Characters 

Depending on the size of e, one may either use Lanczos/Wiedeman or block 
Lanczos/Wiedeman approach. If e is large enough, no self-orthogonal vector 
appears (unless we are extremely unlucky) and the simple approach succeeds. 
For smaller e, a block approach is required (the block size 2 < z < 32 varies 
with e and is a bit lesser when e = 3). 

When linear algebra is performed directly on the sieving phase’s output, the 
method yields a multiplicative relation between ideals of the form: 



Such a relation, however, is insufficient to ensure that the product n ^cH-a^)** 1 
is an e-th power in K. Obstructions may arise from the e-part of the ideal class 
group of Ok , as well as from the quotient of the unit group °k/{0* k T- To 
annihilate these obstructions we have to add characters. We require that: 



vanishes, for several (additive) character maps x '■ K* ~ > We have the fol- 

lowing choices for character maps: 

— In P2j, an approximation of the e-adic logarithm is used. Such characters 
are easy to compute but might fail to account for the full obstruction, as 
they cover at most the obstruction stemming from the unit group. Should e 
ramify in Ok, or cOk be divisible by a prime ideal belonging to the factor 
base, technicalities occur but do not prevent from using these characters. 

- It is also possible to follow the classical approach used for NFS-factoring 0 
i.e. test for powers modulo primes congruent to 1 mod e. The number of 
characters accessible thereby is infinite. To map these multiplicative charac- 
ters to additive ones, a discrete logarithm modulo e must be solved, which 
is trivial for small e. For larger e values (where this might be a problem) 
heuristic arguments indicate that characters of the first kind would suffice 
anyway HS|. 

A typical drawback of characters is that they add a dense part to the relation 
matrix, which might cause a slight performance penalty. In the particular case 
we are interested in (just as in NFS-factoring) it is possible to perform the linear 
algebra without the character columns, produce several row dependencies and 
do a second reduction to recombine these dependencies into dependencies with 
vanishing characters. 

If we elect to adopt the latter idea it becomes particularly advisable to use 
block algorithms for the linear algebra, since these algorithms output several 
vectors of the null-space simultaneously. 
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The linear algebra step also gives us the opportunity to check that if’ s class 
number is co-prime to e (to avoid possible technical problems infra). We do so 
by checking that the rank of the relation matrix is not abnormally low modulo 
e. This extra check is achieved in the same complexity and is therefore ignored 
hereafter. Moreover, when e is a large prime, we do not need to test anything, 
since the probability that e divides the class number is negligible. 

3.4 Root Extraction 

The linear algebra stage yields a product of algebraic integers n = n( a + 
which is known to be an e-th power in if since xW = 0 for satisfyingly many 
characters y. This allows us to compute an e-th root in Z n for any c + xy , as 
long as the corresponding exponent ^ 0 mod e. To do so, we first have to 
raise n to the power of fj,^ 1 mod e. In other words, we can assume without loss 
of generality that /q/ = 1 . 

When e is small, the computation of the e-th root of -k can be done using a 
straightforward generalization of Montgomery’s square root algorithm uni. 

Once the e-th root R(a) is computed, we have: 


(c + Xi ' ) (c + Xi)^ = R(c) e mod n, 

ijti' 

i.e.: ( c+x v ) d = R(c) JJ(c + Xi) - ^ mod n. 


One might question the applicability of Montgomery’s algorithm to very large 
values of e. Our computations in appendix A indicate that e = 65, 537 is achiev- 
able with no difficulty and tests up to e ~ 10 15 were conducted successfully. 
These results lead us to infer that this approach is practical at least for our 
range of interest. 

However, should this strategy become difficult for larger e, a different (more 
expensive) approach might be used: replace the sparse linear algebra modulo e by 
exact Gaussian elimination or Hermite normal form and find relations expressing 
each ideal as a product (quotient) of smooth elements. This associates to each 
ideal a projectioifl in and also its e-th root. The drawbacks are higher memory 
requirements and a higher exponent in the linear algebra’s complexity. 

3.5 Complexity Analysis 

Our complexity analysis closely follows the NFS’s one. Let w denote the linear 
algebra’s exponent. We write the degree d, the sieving range [-S, +S 1 ] and the 
factor base bound B as: 



logn 



log log n ’ 


8 In theory, such a projection can be defined rigorously using the Hilbert class field of 
the number field used. Indeed, in the Hilbert class field, all ideals are principal and 
sending a generator to Z n is easy; however, since the degree of the Hilbert class field 
is extremely large, it cannot be used in practice. 
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This particular choice of S and B ensures that the sieving step (which costs 
S ) and the linear algebra step (which costs B w ) are balanced. 

Using the lattice-based construction, the coefficients of / have average size 
A = ^fn = L n { |, |). By choosing a skewed /, we find that the size of f(x) for 
x G [~S,+S] is: 

AxS d /* = L n (~,~ + ^60) 

The probability that f(x) is B-smooth is L n (|. —n) with tt = + fA). 

To get enough smooth relations, we need to ensure that wj3 — tt = 3. 

For w = 2, these equations lead to the choice {5 = ^/|, 0 = As a 

consequence, the complexity of the sieving and linear algebra steps put together 
is L n {\, 2/3) = L n ( | , tff). This is equal to the complexity the snfs factoring 
algorithm which applies to a restricted class of numbers 

Another very important parameter is the number of AMR-oracle queries, which 
is subexponential but significatively smaller than the algorithm’s runtime. This 
number of queries is L n (|,/3) = L n [ |, 

The alternative using integer linear algebra mentioned above yields a com- 
plexity of: 

The case w = 3 gives T„(|, -^/| ~ 1.65). Note that according to J8I9I . 
the integer linear algebra can be done with exponent w = 2.5, which yields 
L n {\. yj f|| ~ 1.57). However this approach requires asymptotically fast matrix 
multiplication techniques which might prove too cumbersome for cryptographic 
applications. 

As our algorithms are subexponential, the assessment of their experimental 
behavior is essential. We hence implemented them and actually forged a 512-bit 
AMR. Details are given in Appendix A. 

Open Problem — Potential Improvements: When the number of fixed pad 
bits is small enough, thepossible sieving range of x when sieving over c + x (or 
a + x) may be too largqj. 

Under such circumstances, we get some additional freedom when constructing 
/. Indeed, we may replace c by some d ~ c, thereby reducing the sieving range. 
Clearly, amongst all possible d values some yield f'-s whose coefficients are 
smaller than average. 

We could not find any efficient way of taking advantage of this extra freedom 
to build better polynomials and further reduce the attack’s complexity. 


Cf. To the related footnote in section 13.11 
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4 Attacking the One More RSA Inversion Problem 

Up to now, we have obtained either an AMR-forgery or an adaptive chosen cipher- 
text attack (cca2) on plain rsa. In this section, we extend the attack to obtain 
a non adaptive chosen ciphertext attack (cCAl) on plain rsa. Equivalently, we 
attack the One More RSA Inversion Problem, proposed by Bellare et at, in 
Again, while subexponential, this attack is faster than GNFS-factoring n. In the 
context of the One More RSA Problem it is not really meaningful to assume that 
the initial RSA queries have a special form, thus we grant the attacker access to 
an unlimited e-th root oracle during the first phase of the attack. 

Once the restriction on oracle queries is lifted, we are no longer constrained to 
use polynomials with a prescribed root P. Moreover, we are no longer limited to 
a single dimensional sieve, but can use a classical NFS sieve with two degrees of 
freedom, using a lattice sieving technique. This does not change the asymptotic 
complexity but allows us to reuse existing fast sieving code more easily. Not being 
restricted to a prescribed root, we may use any polynomial of our choice. Despite 
this clear gain, to solve the One More RSA Inversion Problem and become non- 
adaptive, we need to devise an algorithm allowing us to compute the e-th root of 
an arbitrary number without any additional oracle queries. This requires a new 
descent procedure since the technique sketched at the end of Section |2| requires 
additional oracle queries. Looking at similar problems arising in the individual 
discrete logarithm phase of discrete logarithms computations, we see that such 
a non adaptive descent can be done by alternating between two NFS sides. Thus, 
we need to introduce a second side into our algorithm. While, at a first glance, 
this seems to void our single-sided NFS complexity improvement, it turns out 
that this intuitive perception is false since we can initially do the single sided 
NFS separately for both sides. 

The addition of a second side entails a complication for the descent, however. 
To achieve the announced complexity, the initial factor base bound is set to 
L n ( j, ^/|). This is well below the L n (T, ^/|) encountered when computing dis- 
crete logarithms. This implies that the descent procedure has to descend below 
what is done for computing discrete logarithms. While the impact on the overall 
complexity is not visible, this is a clear practical concern. To compensate for 
this fact, we add an intermediate phase in our algorithm in order to enlarge the 
factor base from L n (^, ^/|) to L n ( 

4.1 The Inversion Algorithm 

Step 0 — Setup. We first set up on the algebraic side a number field K = Q(a) 
defined by a polynomial equation /(a) = 0. The easiest (though not unique) 
choice for the second side is a rational side given by a polynomial g such that / 
and g share a common root P modulo n. The classical base-m technique can be 
used for this purpose. 

We denote by p the rational root of g (we have p = rri if g is monic). 
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Step 1 — Precomputation. The factor base T on the algebraic side consists 
of ideals of norm bounded by B ~ i n (|, ^/|). By sieving, we obtain coefficient 
pairs {x, y} yielding relations of the form: 

(x -ya)= p" lp , and - ya) = (Xk)k=i,...,c 
P er 

where x is a character map onto F°, for some arbitrary dimension c. We con- 
catenate the coefficients (m p ) and A k to form the rows of a matrix M. 

Step 2 — Factor Base Extension. The extended factor base T' consists of 
ideals of norm bounded by B' ~ L n ( A , ^/|). We sieve on the algebraic side only, 
using each additional prime ideal that we want to add as a special-#. We ask for 
a single relation between this prime ideal and the smaller ones. 

Step 3 — Oracle Queries. We query the oracle for the e-th root of the numbers 
x — yP for each integers pair {x, y} encountered in steps 1 and 2. We also query 
for the e-th root of all prime numbers below B' . 

Step 4 — Descent Initialization. In our game, it is only at this point that 
the attacker learns the challenge number t whose e-th root he must compute. 

The descent mimics individual discrete logarithm computations. The descent 
is initialized by picking a random mask m and two integers u and v such that 
^ = m e t mod n, and which factor simultaneous into primes bounded by T„(|, •). 

Step 5 — Descent. We maintain a set {(<7, e)} of polynomials a and exponents 
e such that S = fl satisfies: 


<sM) = n p /ip ■ Ii (algebraic side), 

pe^' 

and —S(p)= p Vp ■ h (rational side). 

V p<B' 

Initially 5=1, and the exponents v p mark the prime numbers appearing in 
the factorization of u and v. 

The remaining terms I\ and h factor into ideals (or primes) outside the factor 
base. The descent procedure aims at eliminating these ideals. For this purpose, 
we iteratively use special-g sieving to trade these ideals for ideals of smaller 
norm. 

Using the relations obtained from the factor base extension step, we form 
another rational fraction T such that the ideal (S(a)T(a)) factors into ideals 
belonging to the smaller factor base T. 

Step 6 — Linear Algebra. Once we have reached the point where I\ = (1) 
and I 2 = (1), we seek a linear combination of the rows of the matrix M which 
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equals the valuations and character values corresponding to the algebraic number 
S(a)T(a). 

This inhomogeneous linear system amounts to exhibiting an algebraic number 
U (a) obtained as a combination of the numbers x — ya found in step 1, and such 
that S(a)T(a)U(a) is an e-th power in K. 

Step 7 — End. We use Montgomery’s e-th root algorithm to write the previous 
number explicitly as an e-th power of an algebraic number r(a) e . 

By construction, the e-th roots of T(P) and U (P) are known by the ora- 
cle queries. Using the rational side product form and the corresponding oracle 
queries, the e-th root of -S(P) is known as well. We infer: 


4.2 Complexity Analysis 

Using the same parameters as in Section El all steps except steps 2 to 5 are 
achieved with complexity T n (-|, 

The complexity of step 2 depends of course on the choice of (3' . The summation 
from B = L n (|, (3) to B' = i„(|, p') yields a complexity L„(|, 6) where 6 ranges 
from when j3' is chosen close to [3, up to 1.577 with the suggested value 
0 1 = yj | (the detailed calculations, omitted for brevity, will be included in the 
IACR ePrint version of this paper). 

The number of oracle queries (step 3) is L n (^,f3' = ^/|). 

The descent (steps 4 and 5) is analyzed in 0 , and found to have complexity 

Ln(bV 3). 

We highlight, however, the complexity of the last descent steps, where ideals 
of norm just above B' = T n (|,/3') have to be canceled. For each such ideal, 
one relation is sought. Using special-g sieving, we can form T n (|, 2 a) candidates 
whose algebraic (resp. rational) norm is bounded by L n ^|, | + S 
(resp. L n (|, i)). One relation is expected when a satisfies: 


2a -\{k + ^{ a + b) + w) 


Substituting ff m j/f above, we obtain that the last descent steps are 
achieved in complexity L rl (l, 0.99), which is not dominating. Using (3' = (3 
(thereby skipping the factor base extension), this cost would be T n (|, 1.27) which 
is not dominating either. 

This implies that we have some flexibility in the tuning of the factor 
base extension. In order to match previously completed discrete logarithm 
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computations, we chose to extend to /?' = y but this choice should be regarded 
as unconstrained. 

We conclude that the asymptotic complexity of the arbitrary e-th root com- 
putation is either L n { or P n (§, 1.58). We believe the latter to be more 
practical, as is illustrated by our experiments (Appendix b). 

4.3 Computing e-th Roots with an AMR-Oracle 

While we have presented and implemented the arbitrary e-th root computation 
algorithm using access to a general e-th root oracle, the same can also be achieved 
using an AMR-oracle only. In this case, the common root P is prescribed, and 
it is not possible to use a rational side. Nonetheless, the above approach works 
using two algebraic sides; steps 1, 2, 6, and 7 have to be done separately on 
both sides. Step 4, however, turns out to have a higher complexity requirement 
L n {\, ^6), and the individual descent steps in step 5 are more expensive. We 
could not demonstrate the practicality of such a setting. 
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A Implementation Details 

As our algorithms are subexponential, the assessment of their experimental 
behavior is essential. We hence implemented them and actually computed a 
512-bit AMR. 

We wrote our software chain in C and C-H-, relying upon the computer 
algebra systems pari-gp and magma for a handful of specific tasks. The attacked 
instance was c == 10 154 , e = 65, 537 and n = RSA-155 (rsa Laboratories 512-bit 
challenge modulus). 

The polynomial selection ('section HTI) was implemented in MAGMA. To obtain 
a satisfactory relation yield, we have set B = 2 22 (i.e a factor base comprising 
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circa 300,000 prime ideals). For S = 2 50 , the polynomial selection program 
returned the quartic candidate!^ f(x) = 5Zi=o where: 

CI4 = 8 

a 3 = 5451802006688119 

a 2 = - 73448933413887326228141654T043T 

ai = 833050630351576525584507524542841090670386803 

a 0 = - 80690902433251999116158516330020702292190401223994350445959 

We worked in K =Q[x]/f and counted 295, 842 prime ideals of degree one (or 
dividing the leading coefficient) in K ’ s integer ring. 

The sieving process was run on a heterogeneous set of CPUs: AMD Opteron 
250 at 2.4 GHz and Intel Core-2 at various clock speeds. 

For each special-# ideal written as (#, a — r) , we isolated the integers x G 
[— 2 28 , 2 28 ] such that the added contribution of factor base ideals to the norm of 
the ideal (r + qx — a) exceeded 2 145 (out of an order of magnitude just below 
2 200 ). This selection process isolated instantaneousljO circa 100 candidates of 
which around nineteen yielded relations. Considering the largest 20, 000 ideals 
in the factor base as special-# ideals, we obtained 380, 000 relations. The sieving 
step was distributed over twenty CPUs and claimed a couple of hours. We stress 
that we did not use any “large prime” variation. 

After pruning the columns corresponding to ideals never encountered in the 
factorizations, we were left with a row dependency to be obtained on a 
283,355x283,355 matrix. We included four readily computed character columns 
in the matrix, to ensure that the computed dependency corresponds to an e-th 
power. The dependency was obtained using the block Wiedemann algorithm, 
with a “blocking factor” of m = n = 8. This took four CP10 hours distributed 
on four machines to produce one row dependency. 

The e-th root computation was done in MAGMA. 

We started with a product formula n whose numerator and denominator had 
a norm « e 7 ' 6xl ° and with a moderate unit contribution, since the logarithms 
of the complex embeddings were approximately: 

(A + 45, A + 45, A — 155, A + 65) where A = - log Norm(7r) ~ 6710 
a 

Here A is the normalizing term. This is quite small since a unit with logarithms of 
complex embeddings equal to (45, 45, —155, 65) would correspond to an algebraic 
integer with coefficients of about twenty decimal digits. The first four reduction 
steps sufficed to eliminate this unit contribution (i.e. equalling the logarithms 
of the complex embeddings with their average). After 2,000 reduction steps, 
we obtained a complete product formula for the root, the remaining e-th power 
being —1. It took five minutes to compute this e-th root. 


10 Best amongst a set of 1, 000 candidates. 

11 2.667 GHz Intel Core-2 CPU. 

12 2.667 GHz Intel Core-2. 
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The corresponding final multiplicative dependency involved 242,700 integers 
of the form c + Xi mod n. 

B Example of an e-th Root Computation 

As an experimental illustration of the arbitrary e-th root computation, we used 
once again n = rsa-155. For a public exponent e = 65,537, we detail the 
computation of an arbitrary e-th root given access to a preliminary e-th root 
oracle (the attacker is given the challenge only once all oracle queries have been 
performed). 

We have chosen a setup resembling a typical NFS factoring experiment or a 
computation of discrete logarithms. The polynomials fi = a i' x ’' an d /2 = 
hx 1 are given by the following coefficients, the polynomial /2 corresponding 
to a rational side: 
a 5 — 28200000 

0 4 = - 7229989539851 
a 3 = - 24220733860168568962 
0 2 = - 6401736489600175386662132 
Oi = 4117850270472750057831223534880 

O 0 = 747474581145576370776244346990929200 

bi = 14507315380338583 

b 0 = ~ 207858336487818193824240150287 

These two polynomials are easily seen to share a common root P modulo n. 
The sieving stage has been performed only on the number field side. We 
chose as a small factor base the set of prime ideals of norm below B = 4 x 10 6 
(i.e. 283,042 ideals). For the sieving, we have used the lattice sieving program 
lasieve4 of J. Franke and T. Kleinjung included in the ggnfs software suite. 
The program was modified to sieve only on one side. Using a double large prime 
variation, the sieving step has been completed in two CPU hours on a 2.4GHz 
AMD Opteron. 

We then extended the factor base to the larger bound B' = 2 32 . After 44 
CPU hours, we were able to relate 37% of the ideals of this larger factor base to 
ideals of the smaller factor base (the larger factor base comprises approximately 
2 x 10 8 ideals). 

Counting oracle queries related to both sides, we need to perform 4 x 10 8 
queries before being able to compute arbitrary e-th roots. 

We have implemented the descent procedure using Magma, as well as the 
lasieve4 program, modified in order to account for very large special q’s as 
used in the descent process. The factorization of the numerous sieve residues 
produced was handled by the gmp-ecm program. 

The descent was initialized on the rational side. We obtained integers u and 
v which factored into primes with at most 35 decimal digits. Each step of the 
descent procedure involved a lasieve4 call, in order to select several candidate 
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polynomials. Amongst the possible polynomials, our strategy selected the one 
leading to the fewest ideals outside the factor base (taking into account the large 
ideals coming from the factor base extension). After 42 descent steps, we obtained 
a product formula involving 594 prime numbers and ideals below B' = 2 32 . Some 
(19) ideals in this product formula belonged to the set of “missed” ideals from 
the larger factor base. With 21 extra descent steps, these ideals were eliminated. 
The descent procedure took roughly one hour. 

The schedule time for solving the resulting inhomogeneous linear system and 
computing the algebraic e-th root compares in every respect to the data given 
for the previous example (Appendix a). 
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1 Introduction 


The core operations in elliptic-curve cryptography are single-scalar multiplica- 
tion (m, P i ► mP ), double-scalar multiplication (m, n. P. Q >— > mP + nQ), etc. 
Miller, in his Crypto ’85 paper introducing elliptic-curve cryptography, pro- 
posed carrying out these operations on points represented in Jacobian form: 
“Each point is represented by the triple ( x , y, z ) which corresponds to the point 
(x/z 2 ,y/z 3 )” on a curve y 2 = x 3 + a±x + a§. See (23 page 424]. One can add 
two points using 16 field multiplications, specifically 11M + 5S, with the fastest 
algorithms known today; here we keep separate tallies of squarings S and general 
multiplications M. A mixed addition — this means that one input has 2=1- 
takes only 7M + 4S. A doubling takes 1M + 8S + ID, where D denotes the cost 
of multiplying by <2.4; a doubling takes 3M + 5S in the special case 0:4 = —3. 

Several subsequent papers analyzed the performance of other forms of elliptic 
curves proposed in the mathematical literature. See, e.g., H9 for the speed of 
several dialects of the Weierstrass form, m for the speed of Jacobi intersections, 
m for the speed of Hessians, and [U| for the speed of Jacobi quartics; see also 
PHI and PHI, which introduced the Montgomery and Doche/Icart/Kohel forms 
and analyzed their speed. These alternate forms attracted some interest — in 
particular, many of them simplify protection against side-channel attacks, and 
the speed records in |Jj for single-scalar multiplication were set with the Mont- 
gomery form — but the Jacobian form remained the overall speed leader for 
multi-scalar multiplication. 

A new form for elliptic curves was added to the mathematical literature a few 
months ago: Edwards showed in PHI that all elliptic curves over number fields 
could be transformed to the shape x 2 + y 2 = c 2 ( 1 + x 2 y 2 ), with (0, c) as neutral 
element and with the surprisingly simple and symmetric addition law 


(21,2/1), (22,1/2) 


( x\y 2 + yix 2 2/12/2 ~ 2 ix 2 \ 
\c(l + xix 2 yiy 2 ) ’ c(l - 210:22/12/2)/ ' 


Similarly, all elliptic curves over non-binary finite fields can be transformed to 
Edwards form. Some elliptic curves require a field extension for the transfor- 
mation, but some elliptic curves have transformations defined over the original 
number field or finite field. 

To capture a larger class of elliptic curves over the original field, we expand 
the notion of Edwards form to include all curves x 2 +y 2 = c 2 (l + dx 2 y 2 ) where 
cd( 1 — dc 4 ) ^ 0. More than 1/4 of all isomorphism classes of elliptic curves 
over a finite field — for example, the curve “Curve25519” previously used to set 
speed records for single-scalar multiplication — can be transformed to Edwards 
curves over the same field. See 33 and of this paper for further background 
on Edwards curves. 

Our main goal in this paper is to analyze the impact of Edwards curves upon 
cryptographic applications. Our main conclusions are that the Edwards form 
(1) breaks solidly through the Jacobian speed barrier, (2) is competitive with 
the Montgomery form for single-scalar multiplication, and (3) is the new speed 
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leader for multi-scalar multiplication. Specifically, we present explicit formulas 
(i.e., sequences of additions, subtractions, and multiplications) that 

• compute an addition (X-, : F, : Z x ), (X 2 : F 2 : Z 2 ) ^ (X x : F, : Z x ) + (X 2 : 
F 2 : Z 2 ) using 10M + IS + ID — here D is the cost of multiplying by a 
selectable curve parameter; 

• compute a mixed addition (Xi : Fi : Z\), (X 2 : F 2 : 1) i-» (Xi : F : 
Zi) + (X 2 : F 2 : 1) using 9M + IS + ID; and 

• compute a doubling (Xi : Fi : Z\) i-> 2(Xi : Y x : Z\) using 3M + 4S. 

See 0 for details of these computations; n for a comparison of these speeds 
to the speeds of explicit formulas for Jacobian, Hessian, etc.; 10 and 0 for an 
analysis of the resulting speeds of single-scalar multiplication and general multi- 
scalar multiplication; and 0 for a discussion of side-channel attacks. 

An Edwards curve with a unique point of order 2 has the extra feature that 
the addition formulas are complete. This means that the formulas work for all 
pairs of input points on the curve, with no exceptions for doubling, no exceptions 
for the neutral element, no exceptions for negatives, etc. Some previous addi- 
tion formulas have been advertised as unified formulas that can handle generic 
doublings, simplifying protection against side-channel attacks; our addition for- 
mulas are faster than previous unified formulas and have the stronger property 
of completeness. See 0 0 and 0 for further discussion. 

Acknowledgments. We thank Harold M. Edwards for his comments and en- 
couragement, and of course for finding the Edwards addition law in the first 
place. We thank Marc Joye for suggesting using the curve equation to accelerate 
the computation of the x-coordinate of 2 P; see 0 

2 Transformation to Edwards Form 

Fix a field k of characteristic different from 2. Let E be an elliptic curve over k 
having a point of order 4. This section shows that some quadratic twist of E is 
birationally equivalent over k to an Edwards curve: specifically, a curve of the 
form x 2 + y 2 = 1 T dx 2 y 2 with d £ { 0,1}. (Perhaps this twist is E itself; perhaps 
not.) 0 shows that the Edwards addition law on the Edwards curve corresponds 
to the standard elliptic-curve addition law. 

If E has a unique point of order 2 then some quadratic twist of E is birationally 
equivalent over k to an Edwards curve having non-square d. If k is finite and E 
has a unique point of order 2 then the twist can be removed: E is birationally 
equivalent over k to an Edwards curve having non-square d. 0 shows that the 
Edwards addition law is complete in this case. 

All of these equivalences can be computed efficiently. The proof of 
Theorem 12. II explicitly constructs d given a Weierstrass-form elliptic curve, and 
explicitly maps points between the Weierstrass curve and the Edwards curve. 

As an example, consider the elliptic curve published in jjj for fast scalar mul- 
tiplication in Montgomery form, namely the elliptic curve v 2 = m 3 + 486662m 2 +u 
modulo p = 2 255 — 19. This curve “Curve25519” is birationally equivalent over 
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Z/p to the Edwards curve x 2 + y 2 I + (121665/121666)x 2 ;y 2 . The transforma- 
tion is easy: simply define x = \J 486664w/u and y = (w — l)/(u + 1); note that 
486664 is a square modulo p. The inverse transformation is just as easy: simply 
define u = (1 + y)/(l — y) and v = \/486664u/x. 

Every Edwards curve has a point of order 4; see (0 So it is natural to con- 
sider elliptic curves having points of order 4. What about elliptic curves that 
do not have points of order 4 — for example, the NIST curves over prime fields? 
Construct an extension field k' of k such that E(k'), the group of points of E 
defined over k', has an element of order 4. Then replace k by k' in Theorem 
12.11 to see that some twist of E is birationally equivalent over k! to an Edwards 
curve defined over k! . 

Theorem 2.1. Let k be a field in which 2^0. Let E be an elliptic curve over 
k such that the group E(k) has an element of order 4. Then 

( 1 ) there exists d e k — {0, 1} such that the curve x 2 + y 2 = 1 + dx 2 y 2 is 
birationally equivalent over k to a quadratic twist of E; 

(2) if E(k) has a unique element of order 2 then there is a nonsquare d £ k 
such that the curve x 2 + y 2 = 1 + dx 2 y 2 is birationally equivalent over k to 
a quadratic twist of E; and 

(3) if k is finite and E(k) has a unique element of order 2 then there is a 
nonsquare d G k such that the curve x 2 + y 2 = 1 + dx 2 y 2 is birationally 
equivalent over k to E. 

Proof. Write E in long Weierstrass form s 2 + Gq rs + 03 s = r 3 + <22 r 2 + a 4 r + a&. 
Assume without loss of generality that aq = 0 and <23 = 0; to handle the general 
case, define s = s + (air + a^)/ 2 . 

Write P for the hypothesized point of order 4 on E. Assume without loss of 
generality that 2 P = (0, 0) and thus ae = 0; to handle the general case, define 
r = r — r 2 where 2 P = ( r2 , S2)- 

The elliptic curve E now has the form s 2 = r 3 + a 2 r 2 + 047 -. Write P as (ri, si). 
The next step is to express 02 and a 4 in terms of n and s*. 

Note that si 7^ 0, as otherwise P has order 2. Consequently n 0. The 
equation 2 P = (0,0) means that the tangent line to E at P passes through 
(0,0), i.e., that si — 0 = (n — 0)A where A is the tangent slope (3 r 2 + 2a2ri + 
a 4 )/2si. Thus 3 rf + 2a 2 ri + £*4^1 = 2s 2 . Also 2s 2 = 2 rf + 2a2^i + 2a 4 ri since 
P is on the curve. Subtract to see that r\ = a 4 ri, i.e., r 2 = a 4 . Furthermore 
a 2 = (s? — rf — a 4 ri)/r 2 = s\/r 2 — 2 n. Putting d = 1 — 4rf/s 2 we obtain 
a 2 = 2((1 + d)/(l -d))n. 

Note that d ± 1 since r\ 0. Note also that d / 0: otherwise the right hand 
side of E’s equation would be r 3 + 02 r 2 + a 4 r = r 3 + 2r 4 r 2 + r 2 r = r(r + ri) 2 , 
contradicting the hypothesis that E is elliptic. Note also that if d is a square 
then there is another point of order 2 in E(k), namely (ri(Vd+l)/(Vd— 1) , 0) . 

Consider two quadratic twists of E, namely the elliptic curves E' and E" 
defined by (n/(l — d))s 2 = r 3 + a2r 2 + a 4 r and (dri/(l — d))s 2 = r 3 + a^r 2 + a 4 r. 

If k is finite and d is nonsquare then either r 1 / ( 1 — d) or dr \ / ( 1 — d) is a square 
in k so E is isomorphic to either E' or E" . 


Faster Addition and Doubling on Elliptic Curves 


33 


Substitute u = r/rq and v = s/r\ to see that E' is isomorphic to the elliptic 
curve (1/(1 — d))v 2 = u 3 + 2((1 + d)/( 1 — d))u 2 + u and that E" is isomorphic 
to (d/( 1 - d))v 2 = u 3 + 2((1 + d)/( 1 - d))u 2 + u. 

We now show that the curve x 2 + y 2 = 1 + dx 2 y 2 is birationally equivalent to 
(1/(1 — d))v 2 = u 3 + 2((1 +d)/( 1 — d))u 2 + u, and therefore to E'. The rational 
map ( u , v) ( x , y) is defined by x = 2 u/v and y = (u — l)/(u+l); there are only 
finitely many exceptional points with v(u + 1) = 0. The inverse rational map 
( x , y) (u, v ) is defined by u = (1 + y ) /(I — y) and v = 2(1 + y ) /(I — y)x\ there 
are only finitely many exceptional points with (1 — y)x = 0. A straightforward 
calculation, included in jS| , shows that the inverse rational map produces (u, v ) 
satisfying (1/ (1 - d))v 2 = u 3 + 2((1 + d )/ (1 - d))u 2 + u. 

Substitute 1/d for d and —u for u to see that x 2 + y 2 = 1 + (1 /d)x 2 y 2 is 
birationally equivalent to the curve (1/(1 — l/d))v 2 = (—it) 3 + 2((1 + l/d)/(l — 
1 /d)){—u) 2 + (— u), i.e., to (d/( 1 — d))v 2 = u 3 + 2((1 + d)/{ 1 — d))u 2 + u, and 
therefore to E" . 

To summarize: (1) The curve x 2 + y 2 = 1 + dx 2 y 2 is equivalent to a quadratic 
twist E' of E. (2) If E has a unique point of order 2 then d is a nonsquare and 
x 2 + y 2 = 1 + dx 2 y 2 is equivalent to a quadratic twist E' of E. (3) If k is finite 
and E has a unique point of order 2 then d is a nonsquare so E is isomorphic 
to E' or to E"; thus E is birationally equivalent to x 2 + y 2 = 1 + dx 2 y 2 or to 
x 2 + y 2 = 1 + (l/d)x 2 y 2 . □ 

Notes on Isomorphisms. If d = dc 4 then the curve x 2 + y 2 = 1 + dx 2 y 2 is 
isomorphic to the curve x 2 +y 2 = c 2 (l+dx 2 y 2 ): simply define x = cx and y = cy. 
In particular, if k is a finite field, then at least 1/4 of the nonzero elements of k are 
4th powers, so d/d is a 4th power for at least 1/4 of the choices of d G k — {0}; 
the smallest qualifying d is typically extremely small. But for computational 
purposes we do not recommend minimizing d as a general strategy: a small c is 
more valuable than a small d. See ® 


3 The Edwards Addition Law 


This section presents the Edwards addition law for an Edwards curve x 2 + y 2 = 
c 2 (l + dx 2 y 2 ). We show (1) that the Edwards addition law produces points on the 
curve, (2) that the Edwards addition law corresponds to the standard addition 
law on a birationally equivalent elliptic curve, and (3) that the Edwards addition 
law is complete when d is not a square. Proofs appear at the end of the section. 

Fix a field k of characteristic different from 2. Fix c. d £ k such that c ^ 0, 
d 0, and dc 4 7^ 1. Consider the Edwards addition law 


(zi,J/i), (22,2/2) 


/ xiy 2 + yiX 2 2/12/2 - xi %2 \ 
Vc(l + dxixzyiyz) ’ c(l - dx^yiyi) ) 


on the Edwards curve x 2 + y 2 = c 2 (l + dx 2 y 2 ) over k. 

Examples: for each point P = (aq, 1/1) on the curve, P is the sum of (0, c) and 
P, so (0,c) is a neutral element of the addition law; the only neutral element 
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is (0,c); (0,c) is the sum of P and — P = (— Xi,yi); in particular, (0,— c) has 
order 2; (c, 0) and (— c, 0) have order 4. 

The next theorem states that the output of the Edwards addition law is on 
the curve when the output is defined, i.e., when dxix 2 y\y 2 / {—1, 1}- 

Theorem 3.1. Let k be afield in which 2^0. Let c,d be nonzero elements ofk 
withdti 1 ^ 1. Let xi,yi,x 2 ,y 2 be elements ofk such that x 2 + y 2 = (?{l + dx\y1) 
and x\ + y\ = c 2 (l + dx\yf). Assume that dxix 2 yiy 2 / {— 1,1}- Define x 3 = 
{xiy 2 + yix 2 ) / c(l + dxix 2 yiy 2 ) andy 3 = (yiy 2 - xix 2 )/c{l - dxix 2 yiy 2 ). Then 
x 3 + y 3 =c 2 {l + dxlyf). 

The next theorem states that the output of the Edwards addition law cor- 
responds to the output of the standard addition law on a birationally equiva- 
lent elliptic curve E. One can therefore perform group operations on E (or on 
any other birationally equivalent elliptic curve) by performing the correspond- 
ing group operations on the Edwards curve, at the expense of evaluating and 
inverting the correspondence once for each series of computations. 

Theorem 3.2. In the situation of Theorem, 1,7. 71 let e = 1 — dc 4 and let E be 
the elliptic curve {l/e)v 2 = u 3 + (4/e — 2)u 2 + u. For each i G {1,2,3} define 
Pi as follows: Pi = oo if {xi,yf) = (0,c); Pi = (0,0) if ( Xi,yi ) = (0,— c); and 
Pi = ( Ui,Vi ) if Xi ^ 0, where m = {c+yi)/(c — yi) andvi = 2c(c + j/j)/(c— yi)xi. 
Then Pi G E{k) and Pi + P 2 = P 3 . 

Here Pi + P 2 means the sum of Pi and P 2 in the standard addition law on 
E(k). Note that Xi f 0 implies yi ^ c. 

The group operations could encounter exceptional points where the Edwards 
addition law is not defined. One can, in many applications, rely on randomization 
to avoid the exceptional points, or one can switch from the Edwards curve back 
to E when exceptional points occur. 

The next theorem states that, when d is not a square, there are no exceptional 
points: the denominators in the Edwards addition law cannot be zero. In other 
words, when d is not a square, the Edwards addition law is complete: it is defined 
for all pairs of input points on the Edwards curve over k. The set E(k), with the 
standard addition law, is isomorphic as a group to the set of points {xi , yi) G kxk 
on the Edwards curve, with the Edwards addition law. The Edwards addition 
law can carry out any sequence of group operations, without risk of failure. 

Theorem 3.3. Let k be a field in which 2/0. Let c,d,e be nonzero elements 
of k with e = 1 — dc 4 . Assume that d is not a square in k. Let xi,yi,x 2 ,y 2 be 
elements of k such that x\ + y\ = c 2 (l + dx\yf) and x\ + y\ = c 2 (l + dx\yf). 
Then dxix 2 yiy 2 ^ 1 and dxix 2 yiy 2 ± — 1. 

Example: d = 121665/121666 is not a square in the field k = Z/(2 255 — 19). 
The Edwards addition law is defined for all (xi,yi),(x 2 ,y 2 ) on the Edwards 
curve x 2 + y 2 = 1 + dx 2 y 2 over k, and corresponds to the standard addition 
law on “Curve25519,” the elliptic curve v 2 = u 3 + 486662m 2 + u over k. The 
point at oo on Curve25519 corresponds to the point (0, 1) on the Edwards curve; 
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the point (0,0) on Curve25519 corresponds to (0,-1); any other point (u,v) 
on Curve25519 corresponds to (\/486664 u/v, ( u — 1 )/(u + 1)); a sum of points 
on Curve25519 corresponds to a sum of points on the Edwards curve. One can 
therefore perform a sequence of group operations on points of the elliptic curve 
v 2 = u 3 + 486662m 2 + u by performing the same sequence of group operations 
on the corresponding points of the Edwards curve. 

The reader might wonder why nn Theorem 1] (“The smallest cardinality of 
a complete system of addition laws on E equals two” ) does not force exceptional 
cases in the addition law for the curve x 2 + y 2 = c 2 ( 1 + dx 2 y 2 ). The simplest an- 
swer is that EH Theorem 1] is concerned with exceptional cases in the algebraic 
closure of k , whereas we are concerned with exceptional cases in k itself. 

The reader might also wonder why we ignore the two projective points 
(0:1:0) and (1 : 0 : 0) on the Edwards curve. The answer is that, although 
these points might at first glance appear to be defined over k , they are actually 
singularities of the curve, and resolving the singularities produces four points 
that are defined over k(Vd), not over k. 

Proof (of Theorem I.V. H) . The special case d = 1 is equivalent to £23 Theorem 
8.1]. We could deduce the general case from the special case, but to keep this 
paper self-contained we instead give a direct proof. 

The first ingredient in the proof is a mechanically verifiable polynomial iden- 
tity. Define T = {xiy 2 +yix 2 ) 2 (l-dxix 2 yiy 2 ) 2 +(yiy 2 -xix 2 ) 2 {l+dxix 2 yiy 2 ) 2 - 
d(x\y 2 + yix 2 ) 2 (yiy 2 - xxx 2 ) 2 . The identity says that T = (x 2 + y\ - {x\ + 
y 2 )dx 2 y 2 )(x 2 +y 2 -(x 2 + y 2 )dx 2 y 2 ). 

The second ingredient is the curve equation, i.e., the hypotheses on (x\,yi) 
and ( x 2 ,y 2 ). Subtract the equation (x% + y 2 )dx 2 yf = c 2 (l + dx\y%)dx\y\ from 
the equation x\ + y\ = c 2 (l + dx\y 2 ) to see that x\ + y 2 — (x\ + y 2 )dx 2 y 2 = 
c 2 (l - d?x\x\y\y 2 ). Similarly x 2 + y 2 — (xf + y^)dx\y\ = #(1 - d?x\x\y\y?f). 
Thus T = c 4 (l - d 2 x 2 x 2 y 2 y%) 2 . 

The third ingredient is the Edwards addition law, i.e., the definition of 
(z 3 , y 3 ) in terms of xi,x 2 ,yi,y 2 . We have xj + - (?dx\y\ = + 

(3/i3/2-xis 2 ) 2 _ Pd(x 1 y 2 +yix 2 ) 2 {yiy 2 -xi_x 2 ) 2 _ T 

c^{l-dxix 2 yiy 2 )' 2 c* {l+dxix 2 yiy 2 )* (1-dxix 2 yiy 2 )* 

= C 2 (1 _ d 2 x | x 2 j/ 2 j/ | ) 2 = c 2 . Thus xi + y 2 = c 2 (l + dx%yl) as claimed. □ 

Proof (of Theorem V-l.ty) . First we show that each Pi is in E(k). If (xi, yf) = (0, c) 
then Pi = oo G E(k). If ( Xi,yi ) = (0,— c) then P t = (0,0) G E(k). Otherwise 
Pi = { u i> v i) G E(fc) by essentially the same calculations as in Theorem 12. II 
omitted here. 

All that remains is to show that Pi + P 2 = P 3 . There are several cases in the 
standard addition law for E(k): the proof thus splits into several cases. 

If (xi,2/i) = (0,c) then (£3,2/3) = ( x 2 ,y 2 ). Now P\ is the point at infinity 
and P ‘2 = Pi, so Pi + P 2 = 00 + P 2 = P 2 = P3. Similar comments apply if 
( x 2 , 2/2) = (0, c). Assume from now on that (£1,2/1) ^ (0, c) and (£2,2/2) 7^ (0, c). 

If (£3,2/3) = (0, c) then (£2,2/2) = (~xi,yi). If (£1,2/1) = (0,-c) then also 
(£2, 2/2) = (0, — c) and Pi = (0,0) = P2; otherwise £i ,£2 are nonzero so ui = 
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(c + y\)/{c — yi) = u 2 and v\ = 2cux/xx = —2cu 2 /x 2 = —v 2 so Pi = —P 2 . In 
both cases Pi + P 2 = 00 = P 3 . Assume from now on that ( 23 , 2 / 3 ) 7 ^ (0, c). 

If (xi,yi) = ( 0 ,-c) then (x 3 ,y 3 ) = {-x 2 ,-y 2 ). Now (x 2 ,y 2 ) ± ( 0 ,-c) (since 
otherwise (x 3 ,y 3 ) = (0,c)) and (x 2 ,y 2 ) ^ (0,c) so x 2 7 ^ 0. Thus Pi = (0,0) and 
P 2 = (u' 2 , v 2 ) with U ‘2 = (c+y 2 ) / ( c—y 2 ) and v 2 = 2cu 2 /x 2 . The standard addition 
law says that (0, 0) + ( u 2 , v 2 ) = (r 3 , s 3 ) where r 3 = (l/e)(v 2 /u 2 ) 2 — (4/e — 2) — 
u 2 = 1 / u 2 and S3 = (v 2 /u 2 )(—r 3 ) = — v 2 /u Furthermore P3 = (u 3 ,v 3 ) with 
u 3 = (c + y 3 ) / (c - y 3 ) = (c - y 2 ) / (c + y 2 ) = l/u 2 = r 3 and v 3 = 2cu 3 /x 3 = 
—2c/u 2 x 2 = — v 2 /u \ = S 3 . Thus Pi + P 2 = P 3 . Similar comments apply if 
(£ 2 , 2 / 2 ) = ( 0 ,-c). 

Assume from now on that Xi ^ 0 and x 2 ^ 0. Then Pi = («i , Vi) with U\ = 
(c + 2 /i)/( c — 2 /i) an d v i = 2 cu\/x \ , and P 2 = (u 2 ,v 2 ) with u 2 = (c+y 2 )/(c—y 2 ) 
and v 2 = 2cu 2 /x 2 . 

If (£ 3 , 2 / 3 ) = (0,-c) then (xi,yi) = (x 2 ,-y 2 ) so u\ = (c + yi ) / (c - t/i) = 
(c— 2 / 2 )/(c + 2 / 2 ) = l/tt 2 and ni = 2cu\/xi = v 2 /u%. Furthermore P 3 = (0,0) 
so the standard addition law says as above that — P 3 + P 2 = (0,0) + P 2 = 
(l/u 2 ,-v 2 /u%) = (uu-vx) = -Pi, i.e., Pi + P 2 = P 3 . 

Assume from now on that X 3 7 ^ 0. Then P 3 = ('U 3 , v 3 ) with u 3 = (c+y 3 )/(c — 
y 3 ) and v 3 = 2cu 3 /x 3 . 

If P 2 = —Pi then u 2 = ux and v 2 = —Vx, so x 2 = — xi and y 2 = c(u 2 — 

1) /(w 2 + 1) = c(ui - l)/(tti + 1) = 2 / 1 , so (£ 3 , 2 / 3 ) = (0,c), which is already 
handled above. Assume from now on that P 2 ± —Pi- 

If u 2 = ux and v 2 ^ —vx then the standard addition law says that (ui,Vi) + 
(u 2 ,v 2 ) = (r 3 , s 3 ) where A = (3 u\ + 2(4/e - 2)ui + l)/((2/e)m), r 3 = (1/e) A 2 - 
(4/e — 2) — 2 it-| , and S 3 = A(ui — r 3 ) — vx- A straightforward calculation, included 
in jHj, shows that (r 3 ,s 3 ) = (u 3 ,v 3 ). 

The only remaining case is that u 2 7 ^ U\ . The standard addition law says that 
{ux,vx) + (u 2 ,v 2 ) = (r 3 , s 3 ) where A = {v 2 -vx)/(u 2 -ux), r 3 = (l/e)A 2 -(4/e- 

2) — ux — u 2 , and S 3 = A(«i — r 3 ) — vx- Another straightforward calculation, 
included in jS|, shows that (r 3 ,s 3 ) = (u 3 ,v 3 ). 

Conclusion: P 3 = P 1 + P 2 in every case. □ 

Proof (of Theorem HP) . Write e = dxxx 2 yxy 2 ■ Suppose that e G {—1, 1}. Then 
£ 1 , £ 2 , 2/i, 2/2 7^ 0. Furthermore dx\y\(x 2 + y 2 ) = (?{dx\yl + d 2 Xi2/iX22/2) = 
<?(dx\y\ + e 2 ) = c 2 (l + dx\y\) = x\ + y\ so 

(xx + eyxf = £? + 2/i + 2 exi 2 /i = dx\y\(x 2 + y%) + 2xxyxdxxx 2 yxy 2 

= dxjyl(x% + 2 x 22/2 + 2/1) = dx\yl(x 2 + y 2 f. 

If x 2 +y 2 7 ^ 0 then d = ((xx + eyx)/xxyx(x 2 +y 2 )) 2 so d is a square, contradiction. 
Similarly, if x 2 — y 2 7 ^ 0 then d = ((xi — eyx)/xxyx{x 2 — y 2 )) 2 so d is a square, 
contradiction. If both x 2 + y 2 and x 2 — y 2 are 0 then x 2 = 0 and y 2 = 0, 
contradiction. □ 
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4 Efficient Group Operations in Edwards Form 

This section presents fast explicit formulas and register allocations for doubling, 
mixed addition, etc. on Edwards curves with arbitrary parameters c, d. 

As usual we count the number of operations in the underlying field. We keep 
separate tallies of the number of general multiplications (each costing M), squar- 
ings (each costing S), multiplications by c (each costing C), multiplications 
by d (each costing D), and additions/subtractions (each costing a). The costs 
M, S, C, D, a depend on the choice of platform, on the choice of finite field, and 
on the choice of c and d. 

Every Edwards curve can easily be transformed to an isomorphic Edwards 
curve over the same field having c = 1 and thus C = 0 ; see “Notes on isomor- 
phisms” in In subsequent sections we assume that c = 1 . However, we can 
imagine applications in which 1 (for example, a curve with a fairly small c 
and with d = 1 could have smaller C + D than an isomorphic curve with c = 1 
and d = c 4 ), so we allow arbitrary (c, d) in our explicit formulas. 

Addition. To avoid the inversions in the original Edwards addition formulas, 
we homogenize the curve equation to ( X 2 + Y 2 )Z 2 = c 2 (Z 4 + dX 2 Y 2 ). A point 
(X, : Yi : Zi) satisfying (X 2 +Y 2 )Z 2 = c 2 (Zf+dX 2 Y x ) and X / 0 corresponds 
to the affine point {X x /Z x ,Y\/Z x ). The neutral element is (0 : c : 1 ), and the 
inverse of (Xi : Yi : Z x ) is (-Xi : Y x : Zi). 

The following formulas, given (Xi : Yi : Z\) and (X2 : Y2 : Z2), compute the 
sum (X 3 : Y 3 : Z 3 ) = ( X 1 : Yi : Z x ) + (X 2 : Y 2 : Z 2 ): 

A = Zi ■ Z 2 ; B = A 2 ; C = X 1 • X 2 ; D = Yi • Y 2 ; E = d-C-D- 
F = B-E ; G = B + E ; X 3 = A-F ■ ((Xi + Yj) ■ (X 2 + Y 2 ) - C - D)\ 

Y 3 = A- G ■ {D - C); Z 3 = c - F ■ G. 

One readily counts 10 M + IS + 1 C + ID + 7 a. We have saved operations here 
by rewriting x x y 2 + X2yi as (aq + «/i)(®2 + y-i) ~ X1X2 — V\ IJ2 and by exploiting 
common subexpressions. 

The following specific sequence of operations starts with registers R x , R2, R3 
containing Xi,Yi,Zi and registers R4 , Rr, , Re containing X2.Y2.Z2, uses just 
two temporary registers R7, R.% and constants c, d, ends with registers R\ , R.2 , R3 
containing X 3 , Y 3 , Z 3 and untouched registers R4 , R^ , Re containing X2, Y), Y2, 
and uses 10 M + IS + 1 C + ID + 7 a: 

R 3 <— R 3 ■ Re', R7 *— Ri + R2', R4 + Rs', Ri <— Ri • R4', R2 <— R2 ■ Re', 

Ri * — Rj ■ Rs', R7 * — R7 — Ri; R7 < — R7 — R2', R7 < — R7 • R 3 ', Rs * — Ri ■ R2', 

Rs * — d • Rs ; R2 <■ — R2 — R 1 ; R2 < — R2 ■ R 3 ; R 3 * — R 3 ; R 1 < — R 3 — Rs ', 

R 3 <— R 3 + Rs', R2 *— R2 • R 3 ', R 3 R 3 ■ Ri', Ri *— Ri ■ R7', R 3 <— c- R 3 . 

We emphasize that these formulas work whether or not (Xi : Y x : Z x ) = (X2 : 
Y 2 : Z 2 ). There is no need to go to extra effort to unify the addition formulas 
with separate doubling formulas; the addition formulas are already unified. If d 
is not a square then the addition law works for all pairs of input points. See 21 
for further discussion of the scope of validity of the addition formulas. 
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As an alternative, one can obtain A(B — E) and A(B + E) and (B — E)(B + E) 
as linear combinations of A 2 , B 2 , E 2 ,(A+ B) 2 , (A + E) 2 . This change replaces 
10M+1S by 7M + 5S, presumably saving time on platforms where S/M < 0.75. 
Note that S/M ~ 0.67 in 0. 

Mixed Addition. “Mixed addition” refers to the case that Z2 is known to be 
1. In this case the multiplication A = Z\ ■ Z2 can be eliminated, reducing the 
total costs to 9M + IS + 1C + ID + 7a. 


Doubling. “Doubling” refers to the case that ( X\ : Y[ : Z\) and (X? : Y2 : Z2) 
are known to be equal. In this case we rewrite c(l + dxfy 2 ) as (xf + yf)/c using 
the curve equation, and we rewrite c(l — dxfy 2 ) as (2c 2 — (x'f + yf))/c: 


2 (zi,2/i) 


/ 2 zi 2 /i yf ~ x\ \ 

V c(l + dxfyf) ’ c(l - dxfyf) ) 


f 2xiyic (yf - xf)c \ 
( x f + y?’2c 2 -(x 2 + y 2 ))- 


We thank Marc Joye for suggesting rewriting c(l + dxfyf) as (xf+yf)jc. We save 
further operations by rewriting 2 x±yi as (x\ + y\ ) 2 — xf — yf and by exploiting 
common subexpressions. The resulting formulas (with 2 H computed as H + H) 
use only 3M + 4S + 3C + 6a: 

B = (X 1 + Vi) 2 ; C = xh D = Y i 2 ; E = C + D; H=(c- Z1) 2 ; 

J = E- 2 H ■ X 3 = c- (B - E) ■ J- Y 3 = c - E ■ (C — D)] Z 3 = E ■ J. 


The following specific sequence of operations, starting with X \ , Yj , Z\ in 
registers Ri,R, 2,R.3, changes registers R\, R.2- R3 to contain X 3 ,Y 3 ,Z 3 , using 
3M + 4S + 3C + 6a and using just two temporary registers R4 , Ar, : 

-R4 <- — Ri + R2 ; R3 * — c • R3 ; Ri < — -R 2 ; R2 < — 7? 2 ; R 3 < — 7? 2 ; R4 * — R 2 ; 

R3 *— R3 + R3 ; R& *— Ri + R2', R2 *— Ri — R2; R4 ■>— R4 — Rs; R 3 ■>— Rs — R3; 

Ri < — R 3 ■ R4 ; R 3 < — R 3 ■ Rs ; R2 * — R2 • Rs ; Ri < — c • Ri ; R2 < — c • R2 ■ 


The following alternate sequence of operations uses one more addition, totalling 
3M + 4S + 3C + 7a, but uses just one additional register R 4 : 

R 3 * — c • R 3 ; R4 < — R 2 ; Ri < — R 1 + R2 ; Ri <■ — Rf ; R2 * — R2 ; R 3 * — R3 ; R 3 * — 2 R 3 ; 

R 4 < — R2 + R4 ', R2 * — 2.R2; R2 * — R4 — R2 ', Ri < — Ri — R4', R2 <■ — R2 ■ R4 ', 

R3 *— R4 — R3', Ri *— Ri • R 3 ', R 3 <— R3 ■ R4', Ri *— c • Ri; R2 * c • R2 ■ 


Another option is to scale (A3 : I3 : Z 3 ) to (A3 /c : Y 3 /c : Z 3 /c ), replacing 
two multiplications by c with one multiplication by 1/c; typically 1/c can be 
precomputed. Of course, all three multiplications by c can be skipped if c = 1 . 
Compression. Given x one can easily recover ±y = ^ (c 2 — x 2 ) /(I — c' 2 dx 2 ). 


5 Comparison to Previous Addition Speeds 

This section compares the speeds of the algorithms in Sglto the speeds of previous 
algorithms for elliptic-curve doubling, elliptic-curve mixed addition, etc. The 
next three sections perform similar comparisons for higher-level elliptic-curve 
operations relevant to various cryptographic applications. 
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Level of Detail of the Comparison. We follow most of the literature in ignor- 
ing the costs of additions, subtractions, and multiplications by small constants. 
We recognize that these costs (and the costs of non-arithmetic operations) can 
be quite noticeable in practice, and we plan a more detailed cost evaluation of 
the Edwards form along the lines of [Z| , but for this paper we ignore the costs. 

Consider, for example, the usual doubling algorithm for Jacobian coordinates 
in the case m = —3: there are 4 squarings, 4 general multiplications, 5 additions 
and subtractions, and 5 multiplications by the small constants 2,3,4, 8,8. We 
summarize these costs as 4M + 4S. 

Some algorithms involve multiplications by curve parameters, such as the 
parameter d in Edwards curves. Some applications can take advantage of multi- 
plying by a constant d, and some applications can choose curves where d is small, 
but other applications cannot. To cover both situations we separately tally the 
cost D of multiplying by a curve parameter; the reader can substitute D = 0, 
D = M, or anything in between. 

Each of our tables includes a column “(1, 1)” that substitutes (S, D) » (M, M), 
a column “(0.8, 0.5)” that substitutes (S,D) « (0.8M,0.5M), and a column 
“(0.8,0)” that substitutes (S,D) « (0.8M,0M). We sort each table using the 
standard, but debatable, approximations (S, D) « (0.8M, 0M). We do not claim 
that these approximations are valid for most applications. The order of entries 
in our tables can easily be affected by small changes in the S /M ratio, the D /M 
ratio, etc. 

Algorithms in the Literature. We have built an “Explicit-Formulas 
Database” jH| containing, in computer-readable format, various algorithms for 
operations on elliptic curves. EFD currently consists of 123 scripts for the Magma 
computer-algebra system checking the correctness of algorithms for elliptic 
curves in the following forms: 

• Projective: A point ( x , y) on an elliptic curve y 2 = x 3 + ax + b, with 
neutral element at infinity, is represented as ( X : Y : Z) satisfying Y 2 Z = 
X 3 + aXZ 2 + bZ 3 . Here (X : Y : Z) = (AX : AY : AZ) for all nonzero A. 

• Jacobian: A point ( x , y) on an elliptic curve y 2 = x 3 + ax + b , with neutral 
element at infinity, is represented as (X : Y : Z) satisfying Y 2 = X 3 + 
aXZ 4 + bZ 6 . Here (X : Y : Z) = (A 2 X : A 3 Y : AZ) for all nonzero A. 

• Jacobi quartic (with leading and trailing coefficients 1): A point ( x,y ) on 
an elliptic curve y 2 = x 4 +2ax 2 +l, with neutral element (0, 1), is represented 
as (X : Y : Z) satisfying Y 2 = X 4 + 2 aX 2 Z 2 + Z 4 . Here (X : Y : Z) = 
(AX : A 2 Y : AZ) for all nonzero A. 

• Jacobi intersection: A point (s,c,d) on an elliptic curve s 2 + c 2 = 1, 
as 2 + d 2 = 1, with neutral element (0, 1, 1), is represented as (S : G : D : Z) 
satisfying S 2 + C 2 = Z 2 , aS 2 + D 2 = Z 2 . Here (S : C : D : Z) = (AS : AC : 
AD : AZ) for all nonzero A. 

• Hessian: A point (x, y) on an elliptic curve x 3 + y 3 + l = 3 axy, with neutral 
element at infinity, is represented as (X : Y : Z) satisfying X 3 + Y 3 + Z 3 = 
ZaXYZ. Here (X : Y : Z) = (AX : AY : AZ) for all nonzero A. 
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• Doubling-oriented Doche/Icart/Kohel: A point (x. y) on an elliptic 
curve y 2 = x 3 + ax 2 + 16a:r, with neutral element at infinity, is represented 
as (X : Y : Z : Z 2 ) satisfying Y 2 = ZX 3 + aZ 2 X 2 + 1 6aZ 3 X. Here (X : Y : 
Z:Z 2 ) = (AX : A 2 Y : AZ : A 2 Z 2 ) for all nonzero A. 

• Tripling-oriented Doche/Icart/Kohel: A point (x,y) on an elliptic 
curve y 2 = x 3 + 3 a(x + l) 2 , with neutral element at infinity, is repre- 
sented as (X : Y : Z : Z 2 ) satisfying Y 2 = X 3 + 3 aZ 2 (X + Z 2 ) 2 . Here 
(X : Y : Z : Z 2 ) = (A 2 X : A 3 Y : AZ : A 2 Z 2 ) for all nonzero A. 

• Edwards (with c = 1): A point (x,y) on an elliptic curve x 2 + y 2 ■ 1 + 

dx 2 y 2 , with neutral element (0,1), is represented as (X : Y : Z) satisfying 
(X 2 + Y 2 )Z 2 = Z 4 + dX 2 Y 2 . Here (X : Y : Z) = (AX : AY : AZ) for all 
nonzero A. 

We copied formulas from several sources in the literature; see m for an 
overview. One particularly noteworthy source is the 1986 paper [E] by Chud- 
novsky and Chudnovsky, containing formulas and operation counts for several 
forms of elliptic curves: projective, Jacobian, Jacobi quartic, Jacobi intersec- 
tion, and Hessian. Liardet and Smart in El presented faster algorithms for 
Jacobi intersections. Billet and Joye in 0 presented faster algorithms for Ja- 
cobi quartics. Joye and Quisquater in pointed out that the Hessian addition 
formulas (dating back to Sylvester) could also be used for doublings after a per- 
mutation of input coordinates, providing a weak form of unification: specifically, 
2(X, : Y\ : Z x ) = (Z 1 : X 1 : F 1 ) + (Y 1 : Z x : X x ). Brier and Joye in $$ presented 
unified addition formulas for projective (and affine) coordinates; see also fT2| . Of 
course, we also include our own algorithms for Edwards curves. 

Chudnovsky and Chudnovsky also pointed out, in the case of Jacobian coor- 
dinates, that readdition of a point is less expensive than the first addition. The 
addition formulas for (Xi : Yj : Z- L ) + (X 2 : V 2 : Z 2 ) use 1M + IS to compute 
Zf and Zf; by caching Z| and Zf one can save 1M + IS in computing any 
(X 7 : Y' : Z') + (X 2 : Y 2 : Z 2 ). We comment that similar savings are possible for 
Jacobi intersections and Jacobi quartics. 

(Rather than distinguishing readditions from initial additions, Chudnovsky 
and Chudnovsky reported speeds for addition and doubling of points repre- 
sented as (X : Y : Z : Z 2 : Z 3 ). But this representation is wasteful, as pointed 
out by Cohen, Miyaji, and Ono in : if (Xi : Y\ : Z\) is used only for a 
doubling and not for a general addition then there is no need to compute Z 3 . 
Sometimes coordinates (X : Y : Z : Z 2 : Z 3 ) are called “Chudnovsky coordi- 
nates” or “Chudnovsky-Jacobian coordinates,” and computing Z 2 and Z 3 only 
when they are needed is called “mixing Chudnovsky coordinates with Jacobian 
coordinates.” We prefer to describe the same speedup using the simpler concept 
of readditions). 

Our operation counts for previous systems are often better than the opera- 
tion counts reported in the literature. One reason is that a multiplication can 
often be replaced with a squaring, saving M — S. For example, as pointed out in 
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0 pages 16-17], Jacobian doubling with a = — 3 uses 3M + 5S rather than the 
usual 4M + 4S. As another example, Doche/Icart/Kohel doubling uses 2M + 
5S + 2D rather than 3M + 4S + 2D. The Explicit-Formulas Database contains 
full justification for each of our operation counts. 

Comparison Charts. The following table reports speeds for addition of two 
points: 


ADD 

12M + 5S + 1D 


(0.8, 0.5) 

16.5M 

11M + 5S 

16M 

15M 

12M + 2S + 

10M + 3S + ID 

14M 

14M 

13i6M 

12. 9M 

12M 

10M + 1S + 1D 

12M 

12M 

12M 

11.3M 


Readdition of a point already used in an addition: 

CocFe/T 


t't .* Kohcl 

he/Icart/Kohel 
Projective 


12M + 5S + 1D 

-M- 

(0.8, 0.5) 

16. 5M 

10M + 6S + ID 
12M + 2S 

17M 

14M 

15. 3M 

13. 6M 

10M + 4S 

11M + 2S + 1D 
12M 

14M 

14M 

12M 

13. 2M 

13. 1M 

12M 

9M + 3S + ID 
10M + IS + ID 

13M 

12M 

11. 9M 

11. 3M 


Mixed addition (i.e., addition assuming that Z -2 = 1): 



l4M^ 


-m- 


8M + 4S + ID 
9M + 2S 
8M + 3S + ID 
7M + 4S + ID 
7M + 4S 
10M 

9M + IS + ID 


10. 6M 
10. 9M 
10. 7M 
10. 2M 


10. 6M 
10. 4M 
10. 2M 
10. 2M 


Doubling: 


fete 

DBL 

5M + 6S + 1D 

7M + 3S 

10M 

(0.8, 0.5) 

10.3M 

9.4M 

9.4M 

Hessian 

Doche/Icart/Kohel 3 

7M+ IS 

2M + 7S + 2D 
1M + 8S + 1D 

8M 

11M 

10M 

7.8M 

8.6M 

7.9M 

7.8M 

7.6M 

7.4M 

Jacobian if o = -3 
Jacobi intersection 

3M + 5S 

2M + 6S + 2D 
3M + 4S 

8M 

10M 

7M 

7M 

7.8M 

6.2M 

7M 

6.8M 

6.2M 

Edwards 

Doche/Icart/Kohel 2 

3M + 4S 

2M + 5S + 2D 

7M 

9M 

6.2M 

7M 

6.2M 

6M 


Unified addition: 




Projective if a = -1 
Jacobi intersection 

UNI 

11M + 6S + 1D 

13M + 3S 

13M + 2S + ID 

181^ 

16M 

16M 

(0.8, 0.5) 

15. 4M 

15. 1M 

ksW 

15. 4M 

14. 6M 

Edwards 

10M + 3S + ID 
12M 

10M + IS + ID 

14M 

12M 

12M 

12. 9M 
12M 

11. 3M 

12. 4M 
12M 

10. 8M 


Most of the addition formulas in this last table are strongly unified: they work 
without change for doublings. The Hessian addition algorithm is an exception: it 
works for doublings only after a permutation of input coordinates. As mentioned 
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earlier, the addition algorithm for Edwards curves with non-square d has the 
stronger feature of being complete: it works without change for all inputs. 


6 Single-Scalar Variable-Point Multiplication 


This section compares Edwards curves to previous curve forms for single-scalar 
variable-point multiplication: computing nP given an integer n and a curve 
point P. This is one of the critical computations in elliptic-curve cryptography; 
for example, if n is a secret key and P is another user’s public key then nP is a 
Diffie-Hellman secret shared between the two users. The next section considers 
variations of the same problem: fixed points P (allowing precomputation of, e.g., 
2 128 P), more scalars and points, etc. 

See P| and |22| for surveys of the classic algorithms for scalar multiplication. 
We focus on “signed sliding window” algorithms, specifically with “window width 
1” (also known as “non-adjacent form” or “NAF”) or “window width 4.” We 
also discuss the “Montgomery ladder.” 

We make the standard assumption that the input point P has Z = 1. All 
additions of P can thus be computed as mixed additions. By scaling other points 
to have Z = 1 one can create more mixed additions at the expense of extra field 
inversions; for the sake of simplicity we ignore this option in our comparison. 

The NAF algorithm, for an average 6-bit scalar n, uses approximately 6 
doublings and approximately (1/3)6 mixed additions. So we tally the cost of 
1 doubling and 1/3 mixed additions: 


■“ n — ■■■ '.rs + in 

10M + 3.67S 
10. 3M + IS 

4.33M + 8.33S + 2.33D 
3.33M + 9.33S + ID 
5.33M + 6.33S 
6.67M + 4.67S + 0.333D 
4.67M + 7S + 2.33D 
4.67M + 6.33S + 2.33D 
6M + 4.33S + 0.333D 


13.7M 

(0.8, 0.5) 

13.8M 

12. 9M 

11. 3M 
15M 
13.7M 
11. 7M 

11. 1M 

12. 2M 

11. 3M 

10. 4M 

14M 

13. 3M 
10.7M 

1U4M 

10. 9M 
9.63M 


he/Icart /Kohel 3 


Jacobi quartic 
Doche/Icart/Kohel 2 


12. 9M 
11. 1M 
11M 
10. 8M 


The “signed width-4 sliding windows” algorithm involves, on average, approx- 
imately 6 — 4.5 doublings, 76/48 + 5.2 readditions, 6/48 + 0.9 mixed additions, 
and 0.9 non-mixed additions; e.g., approximately 251.5 doublings, 42.5 readdi- 
tions, 6.3 mixed additions, and 0.9 non-mixed additions for 6 = 256. (Different 
variants of the algorithm have slightly different costs; we chose one variant and 
measured it for 10000 uniform random 256-bit integers n.) So we tally the cost 
of 251.5/256 pa 0.98 doublings, 42.5/256 pa 0.17 readditions, 6.3/256 pa 0.025 
mixed additions, and 0.9/256 pa 0.0035 non-mixed additions: 



8 DBL, 0.17 rt 


7.17M + 

9.13M+ _ _ . 

3.84M + 7.99S + 2.16D 
9.16M + 0.982S 
2.85M + 8.64S + 0.982D 
4.82M + 5.69S 
4.2M + 5.86S + 2.16D 
3.69M + 6.48S + 2.16D 
5.09M + 4.32S + 0.194D 
4.86M + 4.12S + 0.194D 


14.4M — 

(0.8, 0.5) 

TTTM 

12. 5M 
14M 

11. 8M 

11. 3M 

12.5M 

10. 5M 

10i3M 

9.37M 

12i3M 

9.6M 

9.18M 

9^95M 

8.64M 

8.26M 


10. 2M 
9.94M 
9.77M 
9.37M 
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Another approach to high-speed single-scalar multiplication is Montgomery’s 
algorithm in PHI for ^-coordinate operations on curves in Montgomery form 
y 2 = x 3 + ax 2 + x. This algorithm does not support fast addition P,Q i— > P + Q, 
does not support arbitrary addition chains, and does not fit into our previous 
tables; but it does support fast “differential addition” P-Q,P,Qh* P+Q, and 
therefore fast computation of “differential addition-subtraction chains.” 

In particular, the “Montgomery ladder” uses 5M + 4S + ID per bit of n 
to compute P > nP. For comparison, the NAF algorithm for Edwards curves 
with our formulas takes 6M + 4.33S + 0.333D per bit of n, clearly slower than 
5M + 4S + ID per bit. But signed width-4 sliding windows take only 4.86M + 
4.12S + 0.194D per bit for 6 = 256, saving 0.14M — 0.12S + 0.806D per bit. 
Note that Edwards form is less sensitive to a large D than Montgomery form. 
Larger 6’s favor larger window widths, reducing the number of additions per bit 
and making Edwards curves even more attractive. 


7 Multiple Scalars, Fixed Points, etc. 


General multi-scalar multiplication means computing ^ n iPi given integers n,; 
and curve points P,. Specific tasks are obtained by specifying the number of 
points, by specifying which points are known in advance, by specifying which 
integers are known in advance, etc. See generally j2j and m- 

We focus on four specific algorithms: the popular “joint sparse form” (“JSF”) 
algorithm for computing n\ P\ +n 2 P 2 , given 6-bit integers ri\ . n 2 and curve points 
Pi,P 2 ; the accelerated ECDSA verification algorithm in P page 9]; batch veri- 
fication of elliptic-curve signatures, using the “Small Exponents Test” from P 
§3.3] and the multi-scalar multiplication algorithm that de Rooij in [2DI §4] 
credits to Bos and Coster; and computation of nP for a fixed point P, using 
a standard “comb” table containing 90 precomputed multiples of P, essentially 
2 {0,i,2,3,4,5}&/6({ 0) i}p+{0, l}2 6 / 24 P+{0, l}2 2fe / 24 P+{0, f}2 3b / 24 P), normalized 
to have Z = 1. 

The JSF algorithm uses about 6 doublings, about (1/4)6 mixed additions (for 
average m, n 2 ), and about (1/4)6 readditions. So we tally the cost of 1 doubling, 
1/4 mixed additions, and 1/4 readditions: 



1 DBL, 1/4 mADD, 1/4 reADD 

10.2M + VS + ID 

18’.2M 

(0.8, 0.5) 

16.4M 

6.25M + 9.5S + 2.5D 

18i2M 

15UM 

5.25M+ 10S + ID 

7.25M + 7S 

1U2M 
14. 2M 

13!8M 

12. 8M 

7M + 7.25S + 2.5D 

8.5M + 5S + 0.5D 

16. 8M 
14M 

14. 1M 

12. 8M 

7!75M + 4-5S + o’5D 

12^8M 

1U6M 


The accelerated ECDSA verification algorithm uses about (1/3)6 doublings, 
about (1/4)6 mixed additions, and about (1/4)6 readditions. So we tally the cost 
of 1/3 doublings, 1/4 mixed additions, and 1/4 readditions: 
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1/3 DBL, 1/4 mADD, 1/4 reADD 

6!92M + 3S + 0.333D 

I-&&- 

(0.8, 0.5) 

9.48M 

5’67M + 3.92S + 1.17D 

10'7M 

9^38M 

6^5M + 2.33S + 0.5D 

9^33M 

8'62M 

5!25M + 3!67S + 

7.83M + 0.333S 

8^92M 

8.17M 

8A8M 

8.1M 

4.92M + 3.5S + 1.17D 

5.75M + 1.83S + 0.5D 

9.58M 

8.08M 

8.3M 

7.47M 


8.78M 

8.37M 

8.32M 

8.18M 


The batch-verification algorithm is not as well known as it should be, so 
we summarize it here for one variant of the ElGamal signature system. Fix 
a hash function H and a base point B on an elliptic curve over a 256-bit 
field. Define ( R , s ) as a signature of a message m under a public key K if 
R,K are curve points, s is a 256-bit integer, and sB = H(R,m)R + K. The 
batch-verification algorithm is given (e.g.) 100 alleged signatures (Ri, s,;) of 100 
messages m; under 100 keys Ki. The algorithm checks the equations s l B = 
H(Ri, rrii)Ri + Ki by choosing random 128-bit integers v-i and checking that the 
combination (12i v i s i)B — fk rn i ) ~ 12 i v i^i is zero. Computing this 

combination — a 201-scalar multiplication with 101 256-bit scalars and 100 128- 
bit scalars — takes about 0.8-256 mixed additions and about 24.4-256 readditions 
with the Bos-Coster algorithm. So we tally the cost of 0.8 mixed additions and 
24.4 readditions: 


lioM 

424M 

350M 

350M 

301M 

302M 


(0.8, 0.5 

tir 

382M 




250M + 150S + 25. 2D 
300M + 50.4S 
250M + 101S 
277M + 50. 4S + 25. 2D 


369M 

340M 

330M 


The 90-point-comb algorithm computes a 6-bit fixed-point single-scalar mul- 
tiplication as a 24-scalar multiplication with about 6/24 doublings and about 
156/64 = 5.625(6/24) mixed additions. So we tally the cost of 1/24 doublings 
and 15/64 mixed additions: 


1/24 DBL, 15/64 mADD 

" w ” 0.635S + 0.234D 

' 0.719S + 0.0417D 


— 

2.32M , 

2.4M + 0.594S 
1.96M + 1.15S + 0.318D 
1.96M + 0.953S + 0.318D 
1.72M + 1.23S + 0.318D 
1.68M + 1.27S + 0.0417D 
1.77M + 1.15S 
2.64M + 0.0417S 
2.23M + 0.401S + 0.234D 


(0.8, 0.5) 


— 

2.91M 

2.88M 

3.03M 

2.88M 

2.87M 


(0-8, 0) 


: 

2.89M 

2.88M 

2.88M 

2.72M 

2.71M 

2.7M 


Projective 

Projective 

Doche/Ica 

DoThe/Ica 


Montgomery’s ^-coordinate algorithm in j^HI can also be used for multi-scalar 
multiplication, but does not seem to provide competitive performance as the 
number of scalars increases, despite recent differential-addition-chain improve- 
ments in © and D3- 


8 Countermeasures Against Side-Channel Attacks 

The scalar-multiplication algorithms discussed in : J01 and jJZl are often unaccept- 
able for cryptographic hardware and embedded systems. Many secret bits of the 
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integers n,; are leaked, through the pattern of doublings and mixed additions 
and non-mixed additions, to side-channel attacks such as simple power analysis. 
See generally 123, ESI, and m- 

One response is to use a fixed pattern of doublings, mixed additions, etc., inde- 
pendent of the integers n,. Another response is to hide the pattern of doublings, 
mixed additions, etc. Some of these responses still leak the Hamming weight in 
the single-scalar case, and the total number of operations in the general case, but 
this information can be shielded at low cost in other ways. Of course, at a lower 
level, field operations must be individually shielded. In particular, an operation 
counted as M must be carried out by a multiplication unit whose time, power 
consumption, etc. do not depend on the inputs. Even if the inputs happen to 
be the same, and even if a faster squaring unit is available, the multiplication 
must not be carried out by the squaring unit. An operation counted as S can 
be carried out by a faster squaring unit whose time, power consumption, etc. do 
not depend on the input. 

We focus on four specific side-channel countermeasures: non-sliding windows 
with digits {1, 2, 3, 4, 5, 6, 7, 8}; signed width-4 sliding windows with unified 
addition-or-doubling formulas; width-4 sliding windows with atomic blocks; and 
the Montgomery ladder. For concreteness we consider two examples of primi- 
tives: first single-scalar multiplication and then triple-scalar multiplication. Ex- 
tra scalars produce extra additions, reducing the importance of doublings, as in 
Cl in particular, extra scalars make unified formulas more attractive. 

We also discuss differential attacks at the end of the section. 

Single-Scalar Multiplication. Non-sliding windows with digits {1, 2, 3, . . . , 8} 
use, on average, approximately 6—1.9 doublings and 6/3+6 readditions for single- 
scalar multiplication: e.g., 254.1 doublings and 91.4 readditions for 6 = 256. So 
we tally the cost of 254.1/256 « 0.99 doublings and 91.4/256 « 0.36 readditions: 


ro^ective i 
oche/lcar 


0.99 DBL, 0.36 reADD 
9.27M + 6.66S + 0.99D 

11. 2M + 3.69S 

ie.glt 

14.9M 

(0.8, 0.5) 

15.1M 

14. 2M 

5.58M + 9.09S + 2.34D 
4.59M + 9.36S + 0.99D 
11. 2M + 0.99S 

17M 
14.9M 
12. 2M 

14M 

12. 6M 

12M 

6.3M + 6.75S + 2.34D 
6.57M + 6.39S 

5.22M + 7.02S + 2.34D 

15. 4M 

13M 

14.6M 

12. 9M 

11. 7M 

12M 

6.93M + 4.68S + 0.36D 
6.57M + 4.32S + 0.36D 

12M 

11.2M 

10. 9M 
10.2M 


11. 7M 


Signed width-4 sliding windows with unified addition-or-doubling formulas 
use, on average, 76/6+2.5 unified operations for single-scalar multiplication: e.g., 
301.2 unified operations for 6 = 256. So we tally the cost of 301.2/256 w 1.18 
unified operations: 


System 

1.18 UNI 

(i+) 

fO.8,0.5) 

(0.8,0) 

Jacobi Vnterseetion 1 

Edwards 

13JVL + 7.08S + 1.18D 

15.3M + 3.54S 

15.3M + 2.36S + 1.18D 
11. 8M + 3.54S + 1.18D 
14. 2M 

11.8M + 1.18S + 1.18D 

21.2M 

18. 9M 
18. 9M 
16. 5M 
14. 2M 
14. 2M 

19.2JVL 

18. 2M 
17.8M 

15. 2M 
14.2M 

13. 3M 

18. 6M 

18. 2M 
17.2M 

14. 6M 

14. 2M 

12. 7M 
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Next we consider signed width-4 sliding windows with atomic blocks. In na» 
Chevallier-Mames, Ciet, and Joye presented Jacobian-coordinate formulas using 
10 atomic blocks for doubling and 16 atomic blocks for addition. Each block 
costs 1M and consists of one field multiplication, one field addition, one field 
negation, and another field addition; many of the additions and negations are 
dummy operations. Barbosa and Page in |2] presented automatic tools that turn 
arbitrary explicit formulas using mM + sS into formulas using m + s atomic 
blocks, each consisting of one field multiplication and some number of field ad- 
ditions and negations, thus costing 1M. So we tally the cost of 0.98 doublings, 
0.17 readditions, 0.025 mixed additions, and 0.0035 non-mixed additions, as in 
fjOl except that we insist on S = M: 



Doche/Ic 
Jacobi in 
Edwards 


re if o = -3 
;art/Kohel 3 

; if a = -3 
;art/Kohel 2 


10. 2M + 2.16D 
10. 1M 

10. 1M + 2.16D 
9.41M + 0.194D 
8.99M + 0.194D 


sADD, 


-Mr 




12. 5M 
14M 
12. 5M 


The Montgomery ladder for single-scalar multiplication naturally uses a fixed 
double-add pattern costing only 5M + 4S + ID per bit. This combination of 
side-channel resistance and high speed has already attracted interest; see, e.g., 
|HI §4], and |Jj. 

We comment that, in some situations, the dummy operations in atomic blocks 
can be detected by fault attacks. Non-sliding windows (with nonzero digits), 
unified formulas, and the Montgomery ladder have the virtue of avoiding dummy 
operations. 

Triple-Scalar Multiplication. Non-sliding windows with digits {1, 2, 3, . . . , 8} 
use approximately 0.99 doublings and 1.08 readditions per bit for triple-scalar 
multiplication: 


0.99 DBL, 1.08 reADD 
17.9M + 8.1S + 0.99D 

19. 9M + 5.13S 

~27M 

25M 

(0.8, 0.5) 

24.9M 

24M 

14'9M + 10]3S + 3'06D 
11.8M + 12.2S + 0.99D 

28^4M 

25M 

24. 8M 

22. 1M 

13. 8M + 9.27S 

19. 9M + 0.99S 

14. 9M + 6.12S + 1.08D 

23M 

20. 9M 
22. 1M 

21. 2M 

20. 7M 

20. 3M 

11. 7M + 9.18S + 3.06D 
13.8M + 5.04S + 1.08D 

23. 9M 
19. 9M 

20. 6M 

18. 3M 


(0.8,0) 




SS 


if 0 = - 
rt/Kohe: 
rt/Kohe: 


24M 
23. 5M 
23. 2M 
21. 6M 


Signed width-4 sliding windows with unified addition-or-doubling formulas 
use approximately 1.54 unified operations per bit: 



1.54 UNI 

16.9M + 9.24S + 1.54D 

27.7m 

(0.8, 0.5) 

25. lM 

20M + 3!08S + 1.54D 
15.4M + 4.62S + 1.54D 

21. 6M 

23i3M 

19. 9M 

18. 5M 

15.4M + 1.54S + 1.54D 

18. 5M 
18. 5M 

18. 5M 
17.4M 


24.3M 

23.7M 
22. 5M 
19. 1M 
18. 5M 
16. 6M 
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Signed width-4 sliding windows with atomic blocks use approximately 0.98 
doublings and 0.56 readditions per bit: 


0.98 DBL, 0.56 reADD, S = M 

18.6M + 0.98D 

17.8M + 2.52D 

19.6M 

20. 3M 

16i7M + 0.98D 

16.4M + 2.52D 

17i6M 

18. 9M 

15. 7M 

14.6M + 2.52D 

14. 6M 

15. 7M 

17. 1M 

14. 6M 

14. 1M + 0.56D 

13M + 0.56D 

14. 7M 

13. 6M 


s.eb. 


16. 7M 
16. 4M 
15. 7M 


The Montgomery ladder can be generalized to a multi-scalar multiplication 
method using a fixed pattern of doublings and additions, as discussed in p| and 
M , but the performance of the generalization degrades rapidly as the number 
of scalars increases, as mentioned in m 

Countermeasures Against Differential and Correlation Side-Channel 
Attacks. Curves in Edwards form are compatible with countermeasures against 
differential and correlation side-channel attacks: 

• Randomized representations of scalars as addition-subtraction chains; see, 
e.g., 021 and jSH §4] . Our point representation supports arbitrary additions 
and subtractions. 

• Randomized scalars; see, e.g., [El §5.1]. 

• Randomized coordinates; see, e.g., PHI §5.3]. Our point representation is 
redundant and can be scaled freely: (Xi : Y\ : Z\) = (AAA : AYl : XZ\) for 
any A ^ 0. 

• Randomized points, for example computing nP as n(P + Q) — nQ; see, 
e.g., m §5-2]. Our point representation supports arbitrary additions and 
subtractions. 

• Randomized curves; see, e.g., PH §29.2]. Using the generalized addition law 
involving c and d one can easily transfer the computation to an isomorphic 
curve with c and d satisfying dc 4 = dc 4 . As another example, one can perform 
computations on a 3-isogenous curve. 

We suggest using a combination of these countermeasures. In particular, point 
randomization or scalar randomization appears to be vital to counteract Goubin- 
type attacks. 

Curves in Edwards form are also compatible with countermeasures to other 
types of attacks discussed in PH- 


References 

1. Antipa, A., Brown, D.R.L., Gallant, R.P., Lambert, R.J., Struik, R., Van- 
stone, S.A.: Accelerated verification of ECDSA signatures, in [43], pp. SOT- 
SIS (2006). MR 2007d:94044, www.cacr.math.uwaterloo.ca/techreports/2005/ 
tech_reports2005.html (Cited in §7) 


48 


D.J. Bernstein and T. Lange 


2. Avanzi, R.M.: The complexity of certain multi-exponentiation techniques in 
cryptography. Journal of Cryptology 18, 357-373 (2005). MR 2007f:94027, 
www . eprint . iacr . org/2002/ 154 (Cited in §6, §7) 

3. Barbosa, M., Page, D.: On the automatic construction of indistinguishable opera- 
tions (2005), www. eprint. iacr. org/2005/174 (Cited in §8) 

4. Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryp- 
tography and checking, in [35], pp. 170-191 (1998). MR 99h:94043. (Cited in §7) 

5. Bernstein, D.J.: A software implementation of NIST P-224 (2001), www. 
cr. yp. to/talks ,html#2001 . 10 . 29 (Cited in §5) 

6. Bernstein, D.J.: Differential addition chains (2006), www.cr.yp.to/papers. 
html#diff chain (Cited in §7, §8) 

7. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records, in [45], pp. 207-228 
(2006), www.cr.yp. to/papers. html#curve255 19] (Cited in §1, §2, §4, §5, §8) 

8. Bernstein, D.J., Lange, T.: Explicit-formulas database (2007), IWWW . I 
jhyperelliptic . org/EFD| (Cited in §2, §3, §3, §5) 

9. Billet, O., Joye, M.: The Jacobi model of an elliptic curve and side-channel analysis, 
in [26], pp. 34-42 (2003). MR 2005c:94045, www. eprint . iacr . org/2002/125 (Cited 
in §1, §5) 

10. Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in elliptic curve cryptogra- 
phy. London Mathematical Society Lecture Note Series, 317. Cambridge University 
Press, Cambridge (2005), MR 2007g:94001. See [27] 

11. Bosma, W., Lenstra Jr., H.W.: Complete systems of two addition laws for elliptic 
curves. Journal of Number Theory 53, 229-240 (1995), MR 96f:11079. (Cited in 
§3, §3) / 

12. Brier, E., Dechene, I., Joye, M.: Unified point addition formulae for elliptic curve 
cryptosystems, in [40], pp. 247-256 (2004) (Cited in §5) 

13. Brier, E., Joye, M.: Weierstrass elliptic curves and side-channel attacks, in [39], pp. 
335-345 (2002), www.geocities.com/MarcJoye/publications.html (Cited in §5, 
§8) 

14. Brown, D.R.L.: Multi-dimensional Montgomery ladders for elliptic curves (2006), 
www . eprint . iacr . org/2006/220 (Cited in §7, §8) 

15. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple 
side-channel analysis: side-channel atomicity. IEEE Transactions on Computers 53, 
760-768 (2004), www. bcm. crypto . free ,fr/pdf/CCJ04 .pdf (Cited in §8) 

16. Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition 
in formal groups and new primality and factorization tests. Advances in Applied 
Mathematics 7, 385-434 (1986), MR 88h:11094. (Cited in §5) 

17. Cohen, H., Prey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptogra- 
phy. CRC Press, Boca Raton (2005), MR 2007f:14020. See [22], [24], [33] 

18. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed 
coordinates, in [41], pp. 51-65 (1998), MR 1726152, www.math.u-bordeaux.fr/Ql 
cohen/ asiacrypt98.dvi (Cited in §1, §5) 

19. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryp- 
tosystems, in [32], pp. 292-302 (1999) (Cited in §8, §8, §8) 

20. de Rooij, P.: Efficient exponentiation using precomputation and vector addition 
chains, in [21], pp. 389-399 (1995), MR 1479665. (Cited in §7) 

21. De Santis, A. (ed.): Advances in cryptology: EUROCRYPT 1994. LNCS, vol. 950. 
Springer, Heidelberg (1995), MR 98h:94001. See [20] 

22. Doche, C.: Exponentiation, in [17], pp. 145-168 (2005) MR 2162725. (Cited in §6, 

§ 7 ) 


Faster Addition and Doubling on Elliptic Curves 


49 


23. Doche, C., Icart, T., Kohel, D.R.: Efficient scalar multiplication by isogeny decom- 
positions, in [45], pp. 191-206 (2006) (Cited in §1) 

24. Doche, C., Lange, T.: Arithmetic of elliptic curves, in [17], pp. 267-302 (2005), MR 
2162729. (Cited in §5) 

25. Edwards, H.M.: A normal form for elliptic curves. Bulletin of the Ameri- 
can Mathematical Society 44, 393-422 (2007), www . ams . org/bull/2007-44-03/ 
S0273-0979-07-01153-6/home.html (Cited in §1, §3) 

26. Fossorier, M.P.C., Hpholdt, T., Poli, A. (eds.): Applied Algebra, Algebraic Algo- 
rithms and Error-Correcting Codes. LNCS, vol. 2643. Springer, Heidelberg (2003). 
ISBN 3-540-40111-3. MR 2004j:94001. (Sec [9]) 

27. Joye, M.: Defences against side-channel analysis, in [10], pp. 87-100 (2005) (Cited 
in §8) 

28. Joye, M., Quisquater, J.-J.: Hessian elliptic curves and side-channel attacks, 
in [31], pp. 402-410 (2001). MR 2003k:94032, www.geocities.com/MarcJoye/ 
publications.html (Cited in §1, §5) 

29. Joye, M., Yen, S.-M.: The Montgomery powering ladder, in [30], pp. 291-302 (2003), 
www.gemplus.com/smart/rd/publications/pdf/JY03mont.pdf (Cited in §8) 

30. Kaliski Jr., B.S., Koq, Q.K., Paar, C. (eds.): Cryptographic hardware and em- 
bedded systems-CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003). ISBN 
3-540-42521-7. See [29] 

31. Koq, Q.K., Naccache, D., Paar, C. (eds.): Cryptographic hardware and embedded 
systems-CHES 2001. LNCS, vol. 2162. Springer, Heidelberg (2001). ISBN 3-540- 
42521-7. MR 2003g:94002. See [28], [34], [42] 

32. Koq, Q.K., Paar, C. (eds.): Cryptographic hardware and embedded systems. In: 
first international workshop CHES 1999. LNCS, vol. 1717. Springer, Heidelberg 
(1999). ISBN 3-540-66646-X. See [19] 

33. Lange, T.: Mathematical countermeasures against side-channel attacks, in [17], pp. 
687-714 (2005), MR 2163785. (Cited in §8, §8) 

34. Liardet, P.-Y., Smart, N.P.: Preventing SPA/DPA in ECC systems using the Jacobi 
form, in [31], pp. 391-401 (2001), MR 2003k:94033. (Cited in §1, §5, §8) 

35. Lucchesi, C.L., Moura, A.V. (eds.): LATIN 1998: theoretical informatic. LNCS, 
vol. 1380. Springer, Heidelberg (1998). ISBN 3-540-64275-7. MR 99d:68007. See [4] 

36. Mangard, S., Oswald, E., Popp, T.: Power analysis attacks: revealing the secrets 
of smart cards. Springer, Heidelberg (2007) (Cited in §8, §8) 

37. Miller, V.S.: Use of elliptic curves in cryptography, in [44], pp. 417-426 (1986) MR 
88b:68040. (Cited in §1) 

38. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of fac- 
torization. Mathematics of Computation 48, 243-264 (1987) MR 88e:11130, 
www . links . j stor . org/sici?sici=0025-5718 (198701)48 : 177<243 : STPAEQ2 . 0 . CO 
2-31] (Cited in §1, §6, §7) 

39. Naccache, D., Paillier, P. (eds.): Public key cryptography. In: PKC 2002. LNCS, 
vol. 2274. Springer, Heidelberg (2002). ISBN 3-540-43168-3. MR 2005b:94044. See 
[13] 

40. Nedjah, N., de Macedo Mourelle, L. (eds.): Embedded Cryptographic Hardware: 
Methodologies & Architectures, Nova Science Publishers (2004) ISBN 1-59454-012- 
8. See [12] 

41. Ohta, K., Pei, D. (eds.): Advances in cryptology-ASIACRYPT 1998. LNCS, 
vol. 1514. Springer, Berlin (1998). ISBN 3-540-65109-8. MR 2000h:94002. See [18] 

42. Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermea- 
sure against power attack, in [31], pp. 39-50 (2001) MR 2003m:94068. (Cited in 


50 


D.J. Bernstein and T. Lange 


43. Preneel, B., Tavares, S.E. (eds.): Selected Areas in Cryptography. In: SAC 
2005. LNCS, vol. 3897, Springer, Heidelberg (2006). ISBN3-540-33108-5. MR 
2007b:94002. See [1] 

44. Williams, H.C. (ed.): CRYPTO 1985. LNCS, vol. 218. Springer, Berlin (1986). 
ISBN 3-540-16463-4. MR 87d:94002. See [37] 

45. Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): 9th international conference 
on theory and practice in public-key cryptography. LNCS, vol. 3958. Springer, 
Heidelberg (2006). ISBN 978-3-540-33851-2. See [7], [23] 


A Non-interactive Shuffle with Pairing Based 
Verifiability* 


Jens Groth 1 ** and Steve Lu 2 ’*** 


1 University College London 
j . groth@ucl .ac.uk 
2 University of California, Los Angeles 
stevelu@math.ucla.edu 


Abstract. A shuffle is a permutation and re-encryption of a set of ciphertexts. 
Shuffles are for instance used in mix-nets for anonymous broadcast and voting. 
One way to make a shuffle verifiable is to give a zero-knowledge proof of 
correctness. All currently known practical zero-knowledge proofs for correctness 
of a shuffle rely on interaction. We give the first efficient non-interactive 
zero-knowledge proof for correctness of a shuffle. 

Keywords: Shuffle, mix-net, non-interactive zero-knowledge, bilinear group. 


1 Introduction 

A shuffle is a permutation and re-encryption of a set of ciphertexts. Shuffles are used 
for instance in mix-nets IlChaSlII . which in turn are used in protocols for anonymous 
broadcast and electronic voting. In a typical construction of a mix-net, the users encrypt 
messages that they want to publish anonymously. They send the encrypted messages to 
a set of mix-net servers that will anonymize the messages. The first server permutes 
and re-encrypts the incoming set of messages, i.e., it carries out a shuffle. The next 
server takes the output from the first server and shuffles these ciphertexts. The protocol 
continues like this until all servers have permuted and re-encrypted the ciphertexts. 
After the mixing is complete, the mix-servers may now perform a threshold decryption 
operation to get out the permuted set of messages. The idea is that if just one mix-server 
is honest, the messages will be randomly permuted and because of the re-encryption 
step nobody will know the permutation. The messages therefore appear in random order 
and cannot be traced back to the senders. 

The mix-net protocol we just described is not secure if one of the mix-servers is 
dishonest. A dishonest mix-server could for instance discard some of the ciphertexts and 
inject new ciphertexts of its own choosing. It is therefore desirable to make the shuffle 
verifiable. An obvious way to make the mix-net verifiable is to ask each mix-server to 
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Cryptography and Computer Security, Institute of Pure and Applied Mathematics, UCLA, 
2006. 

** Work done while at UCLA supported by NSF ITR/Cybertrust grant No. 0456717. 

*** Supported by NSF Cybertrust grant No. 0430254. 
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provide a zero-knowledge proof of its shuffle being correct. The zero-knowledge proof 
guarantees that the shuffle is correct, yet reveals nothing about the permutation or the 
re-encryption and therefore preserves the privacy of the mix-net. 

Much research has already been done on making shuffles verifiable by providing in- 
teractive proofs of correctness IISK95I IAbe99l IAH01I INefOII IFS01I IGro()3l INSNK06I 
NSNK05 , Fur05 , Wik05 , GL07 ]. The proofs in these papers are all interactive and rely 
on the verifier choosing random challenges. Using the Fiat-Shamir heuristic, where the 
verifier’s challenges are computed through the use of a cryptographic hash-function, 
it is possible to make these proofs non-interactive. As a heuristic argument for the se- 
curity of these non-interactive proofs, one can prove them secure in the random oracle 
model IIBR93B . where the cryptographic hash-function is viewed as a random oracle that 
outputs a random string. However, Goldwasser and Kalai IIGK03I demonstrate that the 
Fiat-Shamir heuristic sometimes yields insecure non-interactive proofs. Other works 
casting doubt on the Fiat-Shamir heuristic are IICGH98I Psiie()2l I5EP04I ICGH04 1 . 

It is still an open problem to construct efficient non-interactive zero-knowledge 
(NIZK) proofs or arguments for the correctness of a shuffle that do not rely on the ran- 
dom oracle model in the security proof. Such NIZK arguments can be used to reduce 
the round-complexity of protocols relying on verifiable shuffles. Moreover, interactive 
zero-knowledge proofs are usually deniable HPa s( )3B : a transcript of an interactive proof 
can only convince somebody who knows that the challenges were chosen correctly. 
NIZK arguments on the other hand are transferable. They consist of a single message 
that can be distributed and convince anybody that the shuffle is correct. 

Obviously, one can apply general NIZK proof techniques to demonstrate the cor- 
rectness of a shuffle. However, reducing the shuffle proof to a general NP statement 
and applying a general NIZK to it is very inefficient. Using NIZK techniques devel- 
oped by Groth, Ostrovsky and Sahai IIGOSOfthl IGt )S()(Sal IGroOfil IGS07I one can get 
better performance. Some existing interactive zero-knowledge arguments for correct- 
ness of a shuffle naturally fit this framework. For example, it is possible to achieve 
non-interactive shuffle proofs of size 0(n log n) group elements for a shuffle of n ci- 
phertexts by using Abe and Hoshino’s scheme IIAH01I . This kind of efficiency still falls 
short of what can be achieved using interactive techniques and the interactive proofs 
or arguments that grow linearly in the size of the shuffle do not seem easy to make 
non-interactive using the techniques of Groth, Ostrovsky and Sahai. 

Our Contribution. We offer the first (efficient) non-interactive zero-knowledge ar- 
gument for correctness of a shuffle. The NIZK argument is in the common reference 
string model and has perfect zero-knowledge. The security proof of our scheme does 
not rely on the random oracle model. Instead we make use of recently developed tech- 
niques for making non-interactive witness-indistinguishable proofs for bilinear groups 
by Groth and Sahai IIGS07I . which draws on earlier work by Groth, Ostrovsky and Sahai 
IGOSOfihl IGOSOfi a Gro()6| . 

The NIZK argument we suggest is for the correctness of a shuffle of BBS ciphertexts. 
This cryptosystem, suggested by Boneh, Boyen and Shacham IIBBS04I . has ciphertexts 
that consist of 3 group elements for each group element that they encrypt. We consider 
statements consisting of n input ciphertexts and n output ciphertexts and the claim 
that the output ciphertexts are a shuffle of the input ciphertexts. Our NIZK arguments 


A Non-interactive Shuffle with Pairing Based Verifiability 


53 


consist of 15 n group elements, which is reasonable in comparison with the statement 
size, which is 6 n group elements. 

2 Preliminaries and Notation 

In this paper, we work over prime order bilinear groups. In other words, we assume 
there is probabilistic polynomial time algorithm Q that takes a security parameter k as 
input and outputs (p, G, Gt, e, g), where: 

1. pis a prime 

2. G and Gt are cyclic groups of order p 

3. g is a random generator of G 

4. e : G X G — > Gt is a map with the following properties 

- Bilinearity: e(g a , g b ) = e(g, g) ab for all a, b G Z p 

- Non-degeneracy: e(g , g) generates Gt 

5. Group operations and the bilinear map are efficiently computable and group mem- 
bership is efficiently decidable. 

We will for notational simplicity assume that group membership always is checked 
when appropriate without writing this explicitly. 

2.1 BBS Encryption 

The BBS cryptosystem was introduced by Boneh, Boyen and Shacham IBBS04I . We 
work in a bilinear group (p, G, Gt, e, g). The public key is of the form ( / = g x ■ h = 
g y ). The secret key is (a;, y) <E (Z* ) 2 . To encrypt m G G, we choose random s, t € Z p 
and let the ciphertext be 

(u,v,w) := (/ 5 ,/i t ,p s+t m). 

To decrypt a ciphertext ( u , v. w) G G 3 , we compute 
m = u~ 1/x v~ 1/y w. 

The BBS cryptosystem is semantically secure under chosen plaintext attack if the Deci- 
sional Linear Problem is hard in the bilinear group. We refer to Section FO for a formal 
definition of this assumption. 

2.2 Shuffling BBS Ciphertexts 

The BBS cryptosystem is homomorphic in the sense that entrywise multiplication of 
two ciphertexts yields an encryption of the product of the plaintexts. We have: 

{f^h^g^m) ■ ( f s ,h r ,g s+T M ) = (f s+s ,h t+T , g s+s+t+T mM). 

It is easy to make a random shuffle of BBS ciphertexts. Given n input ciphertexts, 
we permute them randomly and then re-encrypt them by multiplying them with random 
encryptions of 1. Multiplication with encryptions of 1 preserves the plaintexts by the 
homomorphic property, but the plaintexts now appear in permuted order. If the Deci- 
sional Linear Assumption holds, the BBS cryptosystem is semantically secure and thus 
the permutation is hidden. For notational purposes, we will let {xi} denote 
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Definition 1. A shuffle of n BBS ciphertexts {(uj, v l . «%)} is a list of output cipher- 
texts {(Ui, V l , Wi)} such that there exists some permutation n £ S n and randomizers 
{{SuTf)} so: 

(Vi) Ui = u n(i) f Si A V i =v w ( i) h Ti A Wi = w w(i) g Si+Ti . 

2.3 Non-interactive Zero-Knowledge Arguments 

We will construct non-interactive zero-knowledge (NIZK) arguments for correctness of 
a shuffle of n BBS ciphertexts. Informally, such an argument will demonstrate that the 
shuffle is correct, but will not reveal anything else, in particular the permutation will 
remain secret. We will now define NIZK arguments with perfect completeness, perfect 
zero-knowledge and f? co -soundness. The notion of co-soundness in NIZK arguments 
for NP-languages was introduced in the full paper of IIGOSOfibl IGOSOfial . Since it is 
quite new we will give some further intuition after the formal definitions. 

An NIZK argument for R with f? co -soundness consists of six probabilistic polyno- 
mial time algorithms: a setup algorithm Q, a CRS generation algorithm K, a prover 
P, a verifier V and simulators (Si, Sf)- The setup algorithm Q outputs some initial 
information gk. The CRS generation algorithm produces a common reference string a 
corresponding to the setup. The prover takes as input (gk, a, x, w ) and produces a proof 
ip. The verifier takes as input (gk, a, x, ip) and outputs 1 if the proof is acceptable and 0 
if the proof is rejected. The simulator Si takes as input gk and outputs a simulated com- 
mon reference string a as well as a simulation trapdoor r. S 2 takes as input gk, a, t, x 
and simulates a proof ip. 

Definition 2. We call (Q,K,P,V,Si,Sf) an NIZK argument for R with R co - 
soundness if for all non-uniform adversaries A we have completeness, soundness and 
zero-knowledge as described below. 

Perfect completeness: 

Pr [gk - Q( l k ) ; a «- K(gk) ; (x,w) «- A(gk, a) ; 

ip *- P(gk, a, x, w) : (gk, x,w) ^ R V V(gk, a, x, ip) = lj =1. 
Computational P co -soundness: 

Pr [gk <- Q( l k ) ; a <- K(gk) ; (x, ip, w co ) <- A(gk, a) : 
V(gk,a,x,ip) = 1 A (gk,x,w co ) 6 P co J ~ 0. 

Perfect zero-knowledge: 

Pr [gk V- g(l k ) ; <7 v- K(gk) ; (St, x, w) «- A(gk, a) ; 

ip ■*— P(gk, a, x, w) : (gk, x,w) e R A .A(St, ip) = lj 
= Pr [gk <— Q( l k ) ; (a, r) Si(gk) ; (St, x, w) «- A(gk, o) ; 

ip S 2 (gk, a, t, x) : (gk, x,w) G R A -4(St, ip) = lj . 


A Non-interactive Shuffle with Pairing Based Verifiability 


55 


We remark that if R ignores gk then R defines a language in NP. The definition given 
here generalizes the notion of NIZK arguments by allowing R to depend on a setup. 
The setup we have in mind in this paper, is to let gk be a description of a bilinear 
group. Given gk describing a bilinear group, the relation R defines a group-dependent 
language L. It is common in the cryptographic literature to assume an appropriate finite 
group or bilinear group has already been chosen and build protocols in this setting, so 
it is natural to consider NIZK arguments for setup-dependent languages as we do here. 

Our definition also differs in the definition of soundness, where we let R co be a 
relation that specifies what it means to break soundness. Informally, computational R co - 
soundness can be interpreted as it being infeasible for the adversary to prove x £ L if it 
knows x € L co . We remark that the standard definition of soundness is a special type of 
f? co -soundness. If R ignores gk and R co ignores gk, w co and contains all x ^ L, then 
the definition given above corresponds to saying that it is infeasible to construct a valid 
proof for a; ^ L. 

Let us explain further, why it is worthwhile to consider f? co -soundness in the context 
of non-interactive arguments with perfect zero-knowledge instead of just using the stan- 
dard definition of soundness. The problem with the standard definition appears when the 
adversary produces a statement x and a valid NIZK argument without knowing whether 
x £ L or x £ L. In these cases it may not be possible to reduce the adversary’s output 
to a breach of some underlying (polynomial) cryptographic hardness assumption. Abe 
and Fehr IEFH7I give a more formal argument for this. They consider NIZK arguments 
with direct black-box reductions to a cryptographic hardness assumption and show that 
only languages in P/ poly can have direct black-box NIZK arguments with perfect zero- 
knowledge. Since all known constructions of NIZK arguments rely on direct black-box 
reductions this indicates that the “natural” definition of soundness is not the right defi- 
nition of soundness for perfect NIZK arguments. We note that for NIZK proofs there is 
no such problem since they are not perfect zero-knowledge except for trivial languages; 
and in the case of interactive arguments with perfect zero-knowledge this problem does 
not appear either because the security proofs rely on rewinding techniques which make 
it possible to extract a witness for the statement being proven. 

The generalization to f? co -soundness makes it possible to get around the problem we 
described above. The adversary only breaks ii co -soundness when it knows a witness 
w co for x G L co . By choosing R co the right way, this witness can make it possible to 
reduce a successful i? co -soundness attack to a breach of a standard polynomial crypto- 
graphic complexity assumption. 

At this point, one may wonder whether it is natural to consider a soundness defini- 
tion where we require the adversary to supply some w co . It turns out that many crypto- 
graphic schemes assume a setup where such a w co is given automatically. One example 
is shuffling that we consider in this paper: when setting up a mix-net using a homomor- 
phic threshold cryptosystem, the threshold decryption keys can be used to decrypt the 
ciphertexts and check whether indeed they do constitute a shuffle or not. 

In our paper, the setup algorithm will be Q that outputs a description of a bilinear 
group. The relation R will consist of statements that contain a public key for the BBS 
cryptosystem using the bilinear group and a shuffle of n ciphertexts. The witness will be 
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the permutation used in the shuffle as well as the randomness used for re-randomizing 
the ciphertexts. In other words: 


R= { ((p,G 7 G T ,e,g) , U^dini^wdUiU^Wi)}) , <*,{{5^)})) 


7T e S n A Vi : Ui = A V t = v„( i) h Ti A W t = w n ^g Si+Ti 


The relation R co will consist of non-shuffles. The witness w co will be the decryption 
key, which makes it easy to decrypt and check that there is no permutation matching the 
input plaintexts with the output plaintexts. As we remarked above, NIZK arguments for 
correctness of a shuffle are usually deployed in a context where such a decryption key 
can be found. It is for instance common in mix-nets that the mix-servers have a threshold 
secret sharing of the decryption key for the cryptosystem used in the shuffle. NIZK 
arguments with ii co -soundness for correctness of a shuffle therefore give us exactly the 
guarantee we need for the shuffle being correct. 


R co ={ (jj>,G,G T ,e,g) , (/, W,)}) , (x,y)) | 
x,yeZ* p A f = g x A h = g y A 



2.4 Non-interactive Witness-Indistinguishable Proofs for Bilinear Groups 

We will employ the non-interactive proof techniques of Groth and Sahai IIGS07I . They 
allow a prover to give short proofs for the existence of group elements which satisfy 
a list of so-called pairing product equations. With their techniques, one can prove that 
there exists xi , . . . , x n G G and (j)\. . . . . cf) n G Z p such that they simultaneously satisfy 
a set of pairing product equations, for instance i&A**,**) = 1 and nr=i x t = 
1. One instantiation of their scheme works over bilinear groups where the Decisional 
Linear Assumption holds. 

Their scheme has the following properties. It has a key generation algorithm that 
outputs a common reference string consisting of 8 group elements. These 8 group ele- 
ments specify the public key for two commitment schemes: one for group elements in 
G and one for exponents in Z p . In their proof, the prover commits to the witness by 
committing to the group elements x \ , . . . , x n £ G and the exponents 6-\, ... ,<p n 6Z p . 
After that the prover makes non-interactive proofs that the committed elements satisfy 
all the pairing product equations. 

There are two ways of setting up the commitment schemes. One can choose the 
common reference string such that both commitment schemes are perfectly binding, in 
which case the proof has perfect completeness and perfect soundness. With a perfect 
binding key, the commitments to group elements are BBS ciphertexts, so we can decrypt 
the commitments to learn xi , . . . , x n . 

Another way to choose the common reference string is to have perfectly hiding 
commitment schemes. In this case, we can set up the commitment to the exponents 
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(f>i , . . . , cj) n as a perfect trapdoor commitment scheme. We can create a commitment 
and two different openings to respectively 0 and 1 for instance. When we have per- 
fectly hiding keys in the common reference string, the non-interactive proof has 
perfect completeness and perfect witness-indistinguishability. In other words, an ad- 
versary that sees a proof for a statement for which two or more witnesses exist, gets 
no information whatsoever as to whether one witness or the other was used in the 
non-interactive proof. 

We write (^binding, ^extraction) <— -K'bmding (ih G, G T , e, g), when creating a per- 
fectly binding common reference string with extraction key ^extraction for the commit- 
ments to group elements in G. We write (abiding, ^trapdoor) <— -Kiuding(p> G, Gt, e, g) 
when creating a perfect hiding common reference string with trapdoor T tra pdoor for 
the commitments to exponents in 7L V . Perfect binding common reference strings and 
perfect hiding common reference strings are computationally indistinguishable if the 
Decisional Linear Assumption holds for the bilinear group we are working over. 

3 Cryptographic Assumptions 

The security of our NIZK argument for correctness of a shuffle will be based on three as- 
sumptions: the Decisional Linear Assumption, the Permutation Pairing Assumption and 
the Simultaneous Pairing Assumption. The BBS cryptosystem and the non-interactive 
proofs of Groth and Sahai rely on the Decisional Linear Assumption. The other two 
assumptions are needed for the NIZK argument for correctness of a shuffle. We will 
now formally define these assumptions and for the two new assumptions give heuristic 
reasons for believing them by showing that they hold in the generic group model. 

3.1 Decisional Linear Assumption 

We first recap the Decisional Linear Problem introduced by Boneh, Boyen and Shacham 
EMU: Given gk = (p, G, Gt, e, g) and f, h, g, f s , h},g z £ G, decide li z = s + 1. 

Definition 3. The Decisional Linear Assumption holds for Q if for all non-uniform 
polynomial time adversaries A we have: 

Pr [gk := (p, G, G T , e,g) <- G( l k ) ; /, h £ G ; 

s,t£z p : A(gk,f,hJ s ,h t ,g s+t ) = l] 

« Pr [gk := (p, G, Gt, e, g ) <- G(l k ) : f,h^G: 

s,t,z£- Z p : A(gk,f,h,f s ,h t ,g z ) = l] . 

3.2 Permutation Pairing Assumption 

The Permutation Pairing Problem is: Given (p, G, Gt, e, g) and g\ := g Xl .. . . ,g n := 
g Xn , 71 := g x ',- ■ • ,7n : = g Xn for random xi,...,x n £ Z p find elements 
ai , . . . , a n , bi , . . . , b n £ G such that the following holds: 
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n—n* 
ri 1 = n 

i=i i=i 

e(aj, ai) = e(g , bi) for i = 1 . . . n 

{ a* } is not a permutation of {g l } 


Note that if {a*} is a permutation of {g t }, then by the third equation {bi} is { 7 ^} 
permuted in the same way. 

Observe that permutations trivially satisfy the first three conditions and not the 
fourth, but one could imagine some particular choice of the {a^} and {bf} would satisfy 
all four conditions. The Permutation Pairing Assumption holds if finding such a clever 
choice is computationally infeasible. 

Definition 4. The Permutation Pairing Assumption holds if for all non-uniform poly- 
nomial time adversaries A we have: 

Pr [gk := (p, G, G T , e, g) «- Q( l k ) ; x lt . . . , x n 4 Z„ ; 

{9i}--={9 Xi }-, { 7 ({ai),{bi})^A(gk,{gi},{Ti}) : 

Iloift 1 = 1 A n^r* = 1 A ( Vi ) = e(g,bi) A 

i=l i=l 

{a*} is not a permutation ~ 0 


3.3 Simultaneous Pairing Assumption 

The Simultaneous Pairing Problem is: Given (p, G, Gt, e, g) and g\ := g Xl ,g n := 
g Xn , 71 := g Xl , . . . , 7 n := g x " for random x ±, . . . , x n G Z p find a non-trivial set of 
elements pi, . . . , p n e G such that the following holds: 

f[e{pi,gi) = 1 A n<W.7.)-l. 

The intuition behind this problem is that it may be hard to find a set of non-trivial ele- 
ments to simultaneously satisfy two pairing products of “independent” sets of elements. 
The Simultaneous Pairing Assumption holds if this problem is hard. 

Definition 5. The Simultaneous Pairing Assumption holds if for all non-uniform poly- 
nomial time adversaries A we have: 

Pr [gk := ( p,G,G T ,e,g ) <- Q( l fe ) ; x lt . . . , x n Z p ; {,?*} := {g Xi } ; 

{7i} := {ff**} ; {Pi} «- {&}, {7i}) : 

II e(Pi,9i) = 1 A = 1 A SI : pi + ll « 0 
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3.4 Our Assumptions in the Generic Group Model 

We will provide heuristic evidence for our new assumptions by showing that they hold 
in the generic group model IISho97ll . In this model the adversary is restricted to using 
only generic bilinear group operations and evaluating equality of group elements. 

We accomplish this restriction of the adversary by using a model of the bilinear group 
where we encode the group elements (or equivalently we encode their discrete loga- 
rithms) as unique random strings and letting the adversary see only this representation 
of the group elements. We then provide the adversary with a bilinear group operation 
oracle such that it can still perform group operations. 

Let us give a few more details. We start by picking a random bilinear group 
( p , G, Gt , e, g ) <— G(l k ), which the adversary gets as input. We also pick random 
bijections [•] : Z p — > G and [[•]] : Z p — > Gt- We give the adversary access to an oracle 
that operates as follows: 

- On input (exp, a) return [a], 

- On input (mult, [a] , [6]) return [a + b] . 

- On input (mult, [[a]], [[6]]) return [[a + b]\. 

- On input (map, [a], [6]) return [[ah]]. 

This oracle corresponds to the effect exponentiations, group operations and using the 
bilinear map have on the discrete logarithms of group elements. Please note that other 
operations such as inversion of a group element for instance can be easily computed 
using these group operations since the group order p is known to the adversary. 

Theorem 1. The Permutation Pairing Assumption holds in the generic group model. 

Proof. Let us first formulate the Permutation Pairing Assumption in the generic group 
model. We generate ( p , G, Gt, e, g) <— Q( l fc ). We pick [•] : Z p — > G and [[•]] : Z p — > 
Gt as random bijective functions. We pick x\,. . . ,x n <— Z p . We now give the ad- 
versary A the following input: (p, G, Gt, e, g. {[ay;]}, {[*?]}) and access to the bilinear 
group operation oracle. A is computationally unbounded but can only make a polymo- 
mial number of queries to the bilinear group operation oracle. The challenge for A is to 
find {([a*], [hi])} so: 

a* = Xi A ^^hj = ^^x? A Vi : a? = h* A V7r3i : a* ^ . 

In the generic group model we can without loss of generality assume the adversary 
computes [a»] , [h,] via repeated calls to the group operation oracle. This means we have 

b i = + Si 

j=l j = 1 j = 1 j= 1 

for values {a,;,}, {a,;,}, {r,;}, {h,;,}, {/%}, {.s,;} that can be deduced from the calls to 
the group operation oracle. 
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Consider now the first conditions on the adversary being successful: 

E a * _ E ^ = 0 A E^ - =0 A Vi : a? = £>». 

#»1 i-l i— 1 i=l 

These are polynomials over unknowns xi,. . . ,x n that are randomly chosen. The ad- 
versary only has indirect access to them by using the bilinear group operation oracle. 
The adversary can choose two strategies for satisfying the equations. It can pick the 
values dij , a, t j , n , bij , /3y , s * so the polynomials are identical zero in Z p [x \ , . . . , x n ] or 
it can hope to be lucky that the polynomials evaluate to zero on the random choice of 
xi, ... ,x n <— lip. The Schwartz-Sippel theorem tells us that a guess according to the 
latter strategy has only negligible probability of being successful. Since the adversary 
can access the bilinear group operation oracle only a polynomial number of times, it 
can only verify a polynomial number of guesses, so the latter strategy has negligible 
success probability. 

Let us now see what happens if the adversary follows the first strategy. The first 
equation gives us: 


E + |>K' + r< ] - E^ = °- 


Viewed as a multivariate polynomial equation over vairables X\. . . . . x n we must have 
for all j, = 1 an d Ya=i & H = 0 an( l Hl= i r i = 0- 

Next, if YiUbi — Hl=i x i ^en it must be the case that 


E E ;,, Ai + E4% + - E®? = °- 


When viewed as a polynomial in x\, . . . ,x n , we see that we must have for all j, 
= 0 and Ya=i^U = 1 and Hi= i s * = 0. 

Finally, if (Vi) af = bi then it must be the case that 

EE^wfc + EE 3 ^ as 2°« aifc + r * 2 

j= lk=l j=lk=l 

+2 EE 1 !^^ + aEwi + 2 E x ? a « ri 

f=lfc=l 3=1 3=1 

= E^ & « + E x ? + s * 

3= 1 3=1 

Once again by viewing this as a polynomial equation, for all i we must have that 
o-ijOtik = 0. Also aijaik = 0 when j ^ k,r? = Sj, b^ = 2 a^r*, ftij = aA + 2cii ] r l . 

We now consider what the matrix A = (ay) must be. Each row A has at most one 
non-zero entry by the fact that ay-a^ = 0 when j ^ k. Also, each column must sum 
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to 1 by J2i=i a ij = 1- These two facts combined implies A to have exactly one 1 in each 
column and each row, thus A is a permutation matrix. Since permutation matrices are in- 
vertible, from the equations = 0, Y^i=i a ij r i = ^r£iL;i hj = 0, 

we obtain that a** = 0 and r, = 0. Therefore, the {a,;} are a permutation of 


the {xi}. 


□ 


Theorem 2. The Simultaneous Pairing Assumption holds in the generic group model. 

Proof. Let us first formulate the Simulatenous Pairing Assumption in the generic 
group model. We generate ( p,G,Gr,e,g ) <— Q(l k ). We pick [•] : Z p — > G and 
[[•]] : Z p — > Gt as random bijective functions. We pick x\, . . .,x n <— Z p . We now 
give the adversary A the following input: (p, G, Gt, e, g, {[a:,]}, and access to 

the bilinear group operation oracle. A is computationally unbounded but can only make 
a polymomial number of queries to the bilinear group operation oracle. The challenge 
for A is to find non-trivial { [mui] } so ppip = 0 and i Pi x i = 0 - The Si- 
multaneous Pairing Assumption in the generic model says that any adversary A has 
negligible probability of succeeding in this game. 

Without loss of generality we can think of A as being restricted to computing {[pi]} 
using the bilinear group operation oracle only. This means it chooses 



for known ay , a l; and r * . 

A successful adversary chooses these values so both of these equations are satisfied: 



We can view them as multi- variate polynomials in x \ , . . . , x n which are chosen at ran- 
dom. The adversary never sees xi, . . . , x n , it only has indirect access to them through 
the group operation oracle. There are two strategies the adversary can use: It can select 
a ij , a.ij , ri so the two polynomials have zero-coefficients or it can hope to be lucky that 
the random choice of x ±, . . . , x n actually evaluates zero. The Schwartz-Sippel theorem 
tells us that a guess has negligible chance of being correct when x\ , . . . , x n are chosen 
at random from Z p . Since the adversary can access the bilinear group operations oracle 
only a polynomial number of times, it can only verify the correctness of a polynomial 
number of guesses. The latter strategy therefore has negligible success-probability. 

Let us now consider the former strategy, where the adversary chooses the coefficients 
of the polynomials in Z p [x \ , . . . , x n ] so they are the zero-polynomials. Looking at the 
coefficients for the first polynomial we see that we must have r, = 0 and ay = 0. 
Looking at the coefficients of the second polynomial we see that ay = 0. The adversary 
can therefore only find the trivial solution p 1 = . . . = p n = 0. □ 
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4 NIZK Argument for Correctness of a Shuffle 

We will now present an NIZK argument for correctness of a shuffle of BBS ciphertexts. 
The common reference string contains 2 n elements {(ji := g Xi } and {7* := g Xi } for 
random x\,...,x n £ Z p . The statement contains a public key (/, h) and a set of n 
input ciphertexts {(uj, Vi, Wi)} and a set of output ciphertexts {(Ui, Vi, Wi)} that may 
be a shuffle of the input ciphertexts. 

The first part of the NIZK argument consists of setting up pairing product equations 
that can only be satisfied if indeed we are dealing with a shuffle. The prover will use 
a set of variables {a*} and {6,;} in these pairing product equations. She will set up 
a Permutation Pairing Problem over these variables to guarantee that {(a*, 6*)} are a 
permutation of { ( <?i , 7i ) } . 

Assume now that {( a* , 6,;)} are a permutation of {(f/,;, 7,;)}. Let {m*} be the plain- 
texts of {(ui,Vi,Wi)} and {Mi} be the plaintexts of {(Ui, Vi, Wi)}. The prover also 
sets up equations such that Y\™ =l e(ai, Mi) = Yl7_i e (Si- m i) an| J n™=i e (bi, Mi) = 
n? = ie( 7 i, m i) • Since {(a*, bi)} are a permutation of {(gi, 7*)}, then there exists a per- 
mutation 71 £ S n SO 

Y[e(gi, = 1 A M^-i^mr 1 ) » 1. 

This is a Simultaneous Pairing Problem, and assuming the hardness of this problem we 
will have M v -iu\ = rrii for all i. 

To give further intuition of the construction, consider a naive protocol where the 
prover sends the permutation directly to the verifier. Denote a* := g n ^ and bi := 7 „(i). 
With Ui = u w (i)f Si ,Vi = v n (i)h Ti ,Wi = WTr(i)g Si+Ti we have: 

f\e(ai,u n(i) f Si ) = = e ( c »J)f[ e (9i, u i) 

e(a i ,v ir( i ) h Ti ) = e(f[ ,h)f[e(g^ i) ,v ir{i) ] = e(c v ,h)f\e.(g u Vi) 

\\e(a i ,w^ { i ) g Si+Ti ) = e(JJaf , g)f[e(g„ ( i ) ,w„^) = e(c w ,g)f[e(g i ,w i ), 

i=l i= 1 i=l i= 1 

where c u = n"_i a f% c v = ar| d c w = nr=i a f i+Ti - B y construction, c,,, = 

c u c v . In addition, we may look at the equations by pairing the {bi} with the Ui, Vi, 
and Wi. From this we obtain another three equations, and we define new elements 
c'u = n”=A S %4 = nr=t^.< = In total we have six equations: 

nr=i e K> c/ t) = e ( c «>/)nr=i e (^> u i) = e «./)nr=i e (Ti ) w i ) 

YlLeia^V) =e(c v ,h)Y[ n i=1 e(gi,Vi ) nr=i e ( b ^ = <*(«<;> *0IELie(7i,*%) 

ntiew, Wi) =e(c„c„, ff)nr=i e (5*i m) nr=i e ( & t> w») =e(cx, 5)nr=i e (7i, ^*) 

A naive non-interactive argument would be to let the prover sends ’K,c u ,c v ,U u ,c! v io the 
verifier. The verifier can check the six above equations himself for the verification step. 
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The naive protocol described is complete by observation. We also have the following 
lemma: 

Lemma 1. The naive protocol is R co -sound. 

Proof. The idea behind f? co -soundness is to look at the underlying messages. If a dis- 
honest prover were to convince a verifier with a non-shuffle as well as produce a witness 
(decryption key) w co = ( x , y), we can “decrypt” the equations checked by the verifier. 
Namely, if we let m* = uf l ^ x vf 1 ^ y w l and M» = then by applying 

the same algebraic manipulations to the equations, we obtain: 

[ft <au eg] ~ 1/X ■ [f[e( ai , F *)| ~ 1/V ■ [n e(au W,)] 

= [e(cu,f)J]e(gi,Ui) ] 7 • ^ . 

This gives us nlLi e(a»,Mj) = e.{.c~ x ,g)e{c~ 1 ,g)e{c u c v ,g)\\^ =1 e{gi,mi) = 
Yl^Aaum,). 

In a similar way we can show that YY--\ e (^i- Mi) = n" = i e (7i- TO j)- Observe that 
the equations may be rearranged to be \\% =1 e(pi, 5») = 1 and n"=i e(/r*,7t) = 1 
where pi = mi/M w -i^y By the Simultaneous Pairing Assumption, it it is infeasible 
for the prover to find non-trivial p -,, satisfying these two equations and thus we reach a 
contradiction. □ 

The downfall of the naive protocol is that it completely reveals the permutation. In the 
actual NIZK argument, we will instead argue that there exist elements {a*} and { b t } 
that satisfy the equations above rather than revealing them directly. We accomplish this 
by making a GS proof for the set of pairing product equations given earlier. Our NIZK 
argument is described in Figure [I] 

Theorem 3. The protocol in Figure 0 is a non-interactive perfectly complete, com- 
putationally R co -sound, perfect zero-knowledge argument of a correct shuffle of BBS 
ciphertexts under the Decisional Linear Assumption, Permutation Pairing Assumption, 
and Simultaneous Pairing Assumption. 

Proof. As we see in the protocol, the prover can generate the witness for the GS proof 
herself. Perfect completeness follows from the perfect completeness of the GS proofs. 

We will now prove that we have perfect zero-knowledge. The simulator S = (Si , Sf) 
will generate a transcript as described in Figure 0 By construction, the common refer- 
ence strings are generated in the same way. The only difference between a real proof 
and a simulated proof is the witness given to the GS proof. By the perfect witness- 
indistinguishability of the GS proof, real proofs and simulated proofs are perfectly in- 
distinguishable. 

It remains to prove that we have computational f? co -soundness. The adversary is 
trying to output a public key (/, h) and a non-shuffle of n input ciphertexts and n output 
ciphertexts, a convincing NIZK argument rp of it being a shuffle, and a decryption key 
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Setup: Generate a bilinear group gk := (p. G, Gt, e, g ) +— Q( l fe ). 

Common reference string: Generate a perfectly hiding common reference string 
(owing, Ttrapdoor) <- -Khidin g (p, G, Gt, e, 3 ) to get perfectly 
witness-indistinguishable GS proofs. Pick random xi, . . . ,x„ <— Z p and compute 
Vi : gi :=g x *, jt := g x * . 

The common reference string is cr := (owing, {gi}, { 7 *}). 

Shuffle statement: Public key (/, h) for the BBS cryptosystem. Input ciphertexts 
{(lii, Vi, Wi)} and output ciphertexts {{Ui, Vi, Wi)}. 

Prover’s input: Permutation iv € S n and randomizers {(Si, T;)} so 
Ui = , Vi = 1 % (i)h Ti and Wi = w v (i)g Si+Ti for all i. 

Proof: The prover sets up the following pairing product equations: 

4>= 1 mod p, dt = 1 , dt = 1 , dt = 1 , (cQ* = 1 , (djy = 1 , (dQj* = 1 , 
Ilafsr'*’ = 1 ’ ri 6 f7i “ 0 = 1, (Vi) e(ai, <*») = e(g, h) 


e(du, g) n eK, Ui) = e(cu, f) n e( 9i , m) e(d’ u , g) n e(h, Ui)=e(c' u , /) n e( 7 i, «i) 

e(dv,g) n e(ai, Vi) = e(c, ft) n <9i, «0 e«, ff) II e(fc, Vi) = e(c4 , ft) n e( 7 <, «0 

e(dn,, ff) II e(»i, Wi) = e(c„Cn, g) [] e( gi , Wi ) 
e(<4, g) il e(6i, Wi) = e(d u d v ,g) n e( 7 i, «?<) 

A witness for satisfiability of the equations can be computed as: 

<t>:=l, Cu:= JJaf* , cp, := JJaf 4 , 4. : = JJ 6 ? ’ := II 6 ? > 

Vi : Oj := bi := 

and setting the remaining variables to 1 . The prover generates a GS proof ip that there 
exists an exponent <p € Z p and group elements 

{at}, {6i}, c u , c v ,d u , d v ,d u , d v ,d w ,d' u , d' v ,d' w that satisfy the equations. 
Verification: The verifier accepts the non-interactive argument if and only if the GS proof 
ip is valid. 


Fig. 1. NIZK Argument for Correct Shuffle of BBS Ciphertexts 

(x, y). The relation R co is a polynomial time decidable relation that tests that ( x , y) is 
the decryption key for (/, h) and that indeed we do have a non-shuffle. 

We will change the way we construct the common reference string for the NIZK 
argument. Instead of generating a = (owing, {h}) as in the scheme, we return 
O- := (obinding, {fft}, {7i}) where (o"binciing, ^extraction) K hinding (p, G, G T , e, g). 
By the Decisional Linear Assumption, perfect binding and perfect hiding common ref- 
erence strings for the GS proofs are computationally indistinguishable, so the adver- 
sary’s success probability only changes negligibly. 

The commitment with trivial randomness is now a perfectly binding commitment 
to the exponent cp = 1. The GS proof is a perfect proof of knowledge of variables 
c u ,c v ,d u ,d v ,d u ,d v ,d w ,d' u ,d' v ,d' w ,{ai},{bi} satisfying the equations, which can be 
extracted using Extraction- Since cp = 1, the equations demonstrate that d u = d v = 
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d w = dl u = d! v = d! w = 1. The elements {a,;}, {6,;} satisfy a Permutation Pairing 
problem and the hardness of this problem tells us that with overwhelming probability 
they are a permutation of 7 »)}. Lemma Q] now gives us that there is negligible 
probability of c u . c v . c' u . c' v , { u n } , {6, } satisfying the equations and at the same time the 
input and output ciphertexts not being a shuffle. □ 


Simulated common reference string: The simulator Si runs the common reference string 
generation protocol. It sets r := (rtrapdoor, xi, . . . , x n ) and outputs (cr, t). 

Shuffle statement: Public key (/, h) for the BBS cryptosystem. Input ciphertexts 
{(ui, Vi, Wi)} and output ciphertexts {(!/», Vj, Wi )}. 

Simulator’s input: The simulator S2 receives the shuffle statement and (cr, r). 

Simulated proof: Create a trapdoor commitment with double opening to <j> = 0 and <p = 1. 
Compute 

o—n-b. 

4:=n«'s 

Set the remaining variables to 1 and create a perfect witness indistinguishable GS proof 

ip that there exists an exponent <p £ % v and group elements 

{cti}, {6i}, c u , c v ,c' u , c' v ,d„, d v ,d w ,d' u , d' v ,d' w that satisfy the required equations. 


Fig. 2. Simulated Argument for Correct Shuffle of BBS Ciphertexts 


Size of the NIZK Argument. To commit to <j> = 1 we can use trivial randomness, 
so the commitment to cf> does not have to be included in the proof - the verifier can 
compute it himself. There are 2 n + 10 variables in G and it takes 3 group elements for 
each commitment, so the commitments contribute a total of 6 n + 30 group elements 
towards the proof size. 

The first 6 equalities cost 9 group elements each for a total of 54 group elements. 
The next two multi-exponentiation equations cost 9 group elements each for a total of 
18 group elements. We then have n pairing product equations of the form e(a*, a*) = 
e(g, bi) which cost a total of 9 n group elements. Finally, we have 6 pairing product 
equations, where one side of the pairings is publicly known and one side is committed. 
They each cost 3 group elements for a total of 18 group elements. 

The total size of the proof is 15n + 120 group elements. The size of the common 
reference string is 2n + 8 group elementsQ 

We remark that the cost of shuffling multiple sets of ciphertexts with the same per- 
mutation may be amortized to a constant number of group elements. The first set of 
ciphertexts costs 15n + 120 group elements. But we only need to commit to a,;, b, and 
prove e(aj, a*) = e(g, bi) once. Regardless of n, the subsequent shuffles under the same 
permutation only cost 120 group elements each. 

1 One could wish for a common reference string that has only a constant number of group 
elements, but currently even all known 3-move zero-knowledge arguments have common ref- 
erence strings of size l?(n). 
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5 Remark on Shuffling BGN Ciphertexts 

Another homomorphic cryptosystem over bilinear groups was introduced by Boneh, 
Goh and Nissim IBGN05I . This cryptosystem is based on the Subgroup Decision As- 
sumption over composite order bilinear groups. The ciphertexts consist of one group 
element each, so with n input ciphertexts and n outputs ciphertexts, the shuffle state- 
ment contains 2 n group elements and another group elements to describe the public 
key. The techniques we have presented in this paper can also be used to shuffle BGN 
ciphertexts. Assuming the Subgroup Decision Assumption holds and assuming suitable 
variants of the Permutation Pairing and the Simultaneous Pairing Assumptions hold, 
we can make an NIZK argument for correctness of a shuffle consisting of 3n + 0(1) 
group elements. Since the Subgroup Decision Assumption only holds when factoring 
the group order is hard, the group elements in this scheme are quite large though. 

While this scheme may have applications, we note that there is one subtle issue that 
one must be careful about. The GS proofs can be instantiated with bilinear groups of 
composite order where the Subgroup Decision Problem is hard, but they are only secure 
if the factorization of the composite group is unknown. The decryption key for the 
cryptosystem is the factorization of the group order. The f? co -soundness of the scheme 
therefore only holds as long as the adversary does not know the decryption key for the 
cryptosystem. The NIZK argument is therefore not i? co -sound as defined in this paper, 
albeit it will satisfy a suitably weakened i? co -soundness definition. 
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Abstract. We provide a formal model for identification schemes. Under 
this model, we give strong definitions for security and privacy. Our model 
captures the notion of a powerful adversary who can monitor all commu- 
nications, trace tags within a limited period of time, corrupt tags, and get 
side channel information on the reader output. Adversaries who do not 
have access to this side channel are called narrow adversaries. Depending 
on restrictions on corruption, adversaries are called strong, destructive, 
forward, or weak adversaries. We derive some separation results: strong 
privacy is impossible. Narrow-strong privacy implies key agreement. We 
also prove some constructions: narrow-strong and forward privacy based 
on a public-key cryptosystem, narrow-destructive privacy based on a 
random oracle, and weak privacy based on a pseudorandom function. 

1 The Privacy Issue in RFID Schemes 

RFID protocols are used to identify cheap tags through wireless channels. How- 
ever, putting tags in wearable items leads to privacy concerns. Although several 
privacy models exist so far, all have their own limitations, and finally, the classes 
of protocols that achieve privacy for one model or the other are not always com- 
parable. A widely accepted flexible model permitting to establish a common 
measure of the performance of identification protocol is still under construction. 
We aim at contributing to this effort. To do so, we propose formal definitions 
of RFID schemes and adversaries and consider a twofold characterization of a 
scheme in terms of security and privacy. The former assesses the soundness of 
tag authentication. The latter property is for the ability to resist to adversaries 
aiming at identifying, tracing, or linking tags. 

In a nutshell, we formalize several types of privacy and study inherent limi- 
tations for RFID applications. We discuss which restrictions we can assume re- 
garding tag corruption and availability of side channels. We show how to achieve 
those levels of privacy and what must be used in terms of conventional vs. public- 
key cryptography or stateless vs. rewritable tags. We show that the strongest 
possible level of privacy implies key agreement, thus mandating the use of some 
public- key cryptography techniques. We present a simple protocol for that. 

We assume a powerful adversary who can control all communications and 
interfere with the system. Cheap tags are not tamper-resistant so we analyze 
the ability to assure privacy and security even when an adversary is allowed to 
corrupt tags and retrieve the internal state. One novelty of our models is that 
they provide some kind of “exposure slots” . Namely, adversaries can trace a tag 
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within a limited time period during which this tag remains at the vicinity of the 
adversary. During this period, they can refer to the tag by using a temporary 
identity. In practice, this temporary identity can be the 32-bit number that is 
used in ISO /IEC 14443-3 norm E2| in singulation protocols for collision avoid- 
ance 0 . It can also be some tag named from its radiation pattern signature EH. 
Exposure time periods are indeed unavoidable. 

We consider several types of restrictions regarding tag corruption. The weak- 
est model does not allow corruption. The relevant model for the so-called forward 
privacy allows corruption, but only at the end of the attack so that no further ac- 
tive action happens after corruption Q One less restrictive (thus stronger) model 
tolerates corruption at any time, but assumes that opening a tag destroys it 
so that it no longer circulates in nature. This model is called destructive. Our 
strongest model allows corruption at any time and even to put the tag back to 
nature so that tracing it is still considered as a threat. Although the purpose for 
distinguishing those two latter models is not clear, we prove that they separate. 

Another question, as studied in Juels-Weis El, is whether the adversary has ac- 
cess to the protocol partial output or not. Namely, can we consider that the adver- 
sary knows whether a reader succeeded to identify a legitimate tag or not? We call 
narrow adversaries those who do not have access to this information while “wider” 
adversaries can get it from side channels (e.g. the question whether a door opens 
or not) . It is well known that security or privacy can collapse in such a case (e.g. for 
the HB+ protocol [17123125) or the OSK protocol [24130) 1. It happens to be quite 
orthogonal to the corruption variants so that we obtain an array of 4 x 2 = 8 ad- 
versarial models. We prove that those privacy models are pairwise different. 

Related Work. Many simple challenge-response protocols have been proposed 
without addressing corruption [ 1 4128139) . The Ohkubo-Suzuki-Kinoshita pro- 
tocol (OSK) [31)131) (see also [311 2132) 1 made forward privacy possible. A few 
attempts have been made to really formalize privacy in RFID protocols. One 
of the first attempts was made by Avoine-Dysli-Oechslin E|, later extended in 
the Thesis of Avoine El- Following their model, privacy is formalized by the 
ability to distinguish two known tags. The model excludes the availability of 
side-channel information such as whether a protocol instance on the reader did 
succeed. Juels and Weis m extended this model using side-channel information 
and making the two target tags chosen by the adversary. Another model was 
proposed by Burmester, van Le, and de Medeiros [8I2K) . In all these models, 
corrupted tags cannot be the target of privacy adversaries. Another approach by 
Damgard-Ostergaard mu studies RFID schemes “with symmetric cryptography 
only” to focus on the tradeoffs between complexity and security. 

Our Contribution. In this paper we present a complete formalism for defining 
RFID schemes, their security, and build a hierarchy of privacy models. Our 
definition for security is equivalent to Damgard-Ostergaard m- We prove that 
security against strong adversaries can be easily achieved using a pseudorandom 

1 Note that some authors call this notion backward privacy EH- Their notion of forward 

privacy is included in our notion of strong privacy. 
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function family. We prove that strong privacy is impossible. We show that an 
RFID scheme that achieves narrow-strong privacy can efficiently be transformed 
into a key agreement protocol, meaning that this type of privacy essentially 
needs public-key cryptography techniques. On the other hand, we show that a 
public-key cryptosystem that resists to adaptively chosen ciphertext attacks can 
be used to define a simple narrow-strong private and forward private protocol. 
We further prove the narrow-destructive privacy of an OSK-like protocol EH in 
the random oracle model and the weak privacy of a classical challenge-response 
protocol based on a pseudorandom function. This work follows up some joint 
work during the Thesis of Bocchetti [Zj . 

2 Definitions 

In the sequel, a function in terms of a security parameter s is said polynomial 
if there exists a constant n such that it is 0(s n ). Similarly, a function is said 
negligible if there exists a constant x > 0 such that it is 0(x~ s ). For the sake of 
readability we concentrate on asymptotic complexities and security although all 
our results can be written with more precise bounds. 

The tag is a passive transponder identified by a unique ID. We typically fo- 
cus on a cheap tag which is passive: it has no batteries, it can operate just 
when interrogated by a reader and only for a short time. It has limited memory : 
each tag has only a few Kbit of memory on board. It has limited computational 
abilities. Each tag can perform only basic cryptographic calculations: hash cal- 
culations sa. pseudorandom generation ESI, symmetric encryption m Some 
elliptic-curve arithmetic |S| and zero- knowledge identification [HI1 SI1 !)[ may fit, 
as well as public-key cryptography [111 613 8j , but remain expensive so far. It is not 
tamper proof. It communicates at up to a limited distance: the communication 
Tag— > Reader is limited to a few meters (if not centimeters). 

The reader is a device composed by one or more transceivers and a backend 
processing subsystem. Security issues within the reader are not addressed in this 
work, moreover we focus on single backend readers. Note however that sometimes 
in literature “reader” denotes the transceiver alone. The purpose of the reader 
is to interact with tags so that it can tell legitimate tags (i.e. tags which are 
registered in the database) and unknown tags apart, and further identify (i.e. 
infer their ID) legitimate tags. 

Definition 1 (RFID Scheme). An RFID scheme is composed by 

— a setup scheme SetupReader(l s ) which generates a private/public key pair 
( Ks , Kp) for the reader depending on a security parameter s. The key Kg is 
to be stored in the reader backend. The key Kp is publicly released. Through- 
out this paper we assume that s is implicitly specified in Kp so that there is 
no need to mention s any longer. 

— a polynomial-time algorithm SetupTag ifp (ID) which returns ( K,S ): the tag 
specific secret K and the initial state S of the tag. The pair (ID, K) is to be 
stored in the reader backend when the tag is legitimate. 
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— a polynomial-time interactive protocol between a reader and a tag in which 
the reader ends with a tape Output. 

An RFID scheme is such that the output is correct except with a negligible probabil- 
ity for any polynomial-time experiment which can be described as follows. 

1: set up the reader 

2: create many tags including a subject one named ID 
3: execute a complete protocol between reader and tag ID 

The output is correct if and only if Output =_L and tag ID is not legitimate, or 
Output = ID and ID is legitimate. 

When Output =_L but tag ID is legitimate, we have a false negative. When 
Output ^1. but tag ID is not legitimate, we have a false positive. When Output 
{ ID, _L} and tag ID is legitimate, we have an incorrect identification. 

The RFID scheme is stateless if the tag state S is not allowed to change in 
time. Note that we do not a priori assume that tags know their ID nor their 
secret K: this is up to the protocol specification to make them extractable from 
S. We assume that a reader can run several concurrent instances of a protocol 
but that tags cannot. In this paper, we do not consider reader authentication so 
we do not consider any output on the side of the tag@ 

In practice, some information about Output may leak from a side channel (e.g. 
by observing a door opening at a tag transit and deducing that authentication 
was successful). Having access to such an information could allow an adversary to 
gather information about tag identities. For simplicity, we focus here on passive 
tags which are exempt of side channel except by full corruption. 

2.1 Adversaries 

The characterization of the adversary is essentially done by specifying the actions 
that she is allowed to perform (i.e. the oracles she can query), the goal of her 
attack (i.e. the game she plays) and the way in which she can interact with 
the system (i.e. the rules of the game). We consider that, at every time, a tag 
can either be a free tag or a drawn tag. Drawn tags are the ones within “visual 
contact” to the adversary so that she can communicate while being able to link 
communications. Free tags are all the other tags. Two oracles are defined below 
to draw or free tags. We call virtual tag a unique reference (e.g. using a drawing 
sequence number or a nonce) to the action of drawing a tag. This plays the same 
role as a temporary identity. Note that two different virtual tags may refer to 
the same tag that has been drawn, freed, and drawn again. 

Definition 2 (Adversary). An adversary is an algorithm which takes a public 
key Kp as input and runs by using the eight following oracles. 

- CreateTag 6 (ID); creates a free tag, either legitimate (b = 1) or not (b = 0), 
with unique identifier ID. This oracle uses SetupTag^ algorithm to set up 
the tag and (for 6=1 only) to update the system database. By convention, 
b is implicitly 1 when omitted. 

2 This model was extended for mutual authentication in the Thesis of Paise j331 • 
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— DRAwTAG(distr) — » (vtag-, . b\ . . . . , vtag n , b n ) : moves from the set of free tags 
to the set of drawn tags a tuple of tags at random following the probability 
distribution distr (which is specified by a polynomially bounded sampling al- 
gorithm). The oracle returns a vector of fresh identifiers (vtag 1; . . . , vtag„) 
which allows to anonymously designate these tags. Drawing tags already 
drawn or not existing provoke the oracle to return _L in place of the respec- 
tive virtual tag. We further assume that this oracle returns bits (bi, . . . , b n ) 
telling whether the drawn tags are legitimate or not 0 This oracle keeps a 
hidden table T such that T(vtag) is the ID o/v tag. 

— FREE(vtag) : moves the virtual tag vtag back to the set of the free tags. This 
makes vtag unreachable. (That is, using vtag in oracle calls is no longer 
allowed.) 

— Launch — > ir: makes the reader launch a new protocol instance ir. 

— SENDREADER(m, 7r) — *• m! (resp. SENDTAG(m, vtag) — > m'): sends a mes- 
sage m to a protocol instance ir for the reader (resp. to virtual tag vtag,) 
and receives the answer m! (that is meant to be sent to the counterpart). By 
convention we write ExECUTE(vtag) — > (7r, transcript) to group one Launch 
query and successive use of SendReader and SendTag to execute a com- 
plete protocol between the reader and the tag vtag. It returns the transcript 
of the protocol, i.e. the list of successive protocol messages. 

— Result(7t) — > x: when n is complete, returns 1 if Output ^_L and 0 
otherwise. 

— CoRRUPT(vtag) — > S: returns the current state S of the tag. If vtag is no 
longer used after this oracle call, we say that vtag is destroyed. 

The adversary plays a game which starts by setting up the RFID system and 
feeding the adversary with the public key. The adversary uses the oracle following 
some rules of the game and produces an output. Depending on the rules, the 
adversary wins or looses. 

Definition 3 (Strong, destructive, forward, weak, and narrow adver- 
sary). We consider polynomial-time adversaries. Let STRONG be the class of 
adversaries who have access to the above oracles. Let DESTRUCTIVE be the class 
of adversaries who never use vtag again after a CoRRUPT(vtag) query (i.e. who 
destroy it). Let FORWARD be the class of adversaries in which Corrupt queries 
can only be followed by other Corrupt queries. Let WEAK be the class of ad- 
versaries who do no Corrupt query. Let NARROW be the class of adversaries 
who do no Result query. 

Clearly, we have WEAK C FORWARD C DESTRUCTIVE C STRONG. 

2.2 Security of RFID Schemes 

Definition 4 (Security). We consider any adversary in the class STRONG. 
We say the adversary wins if at least one protocol instance n on the reader iden- 
tified an uncorrupted legitimate tag ID but n and ID did not have any matching 

3 Namely, we assume that adversaries always have means to deduce whether a tag is 
legitimate or not by side channels. 


On Privacy Models for RFID 


73 


conversation, i.e. they exchanged well interleaved and faithfully (but maybe with 
some time delay) transmitted messages until ir completed. We call ID a target tag 
and 7r a target instance. We say that the RFID scheme is secure if the success 
probability of any such adversary is negligible. 

All protocols that we study here are two-pass protocols in which the reader 
starts by sending a random challenge a and the tag produces a response c de- 
pending on a. This way, attacks leading to matching protocol transcripts but 
badly interleaved messages have negligible probability of success. 

We use the following lemma to prove security of RFID schemes in our paper. 

Lemma 5 (Simple security for special RFID scheme). We consider an 
RFID scheme for which the reader protocol satisfies the following structure. First, 
the communication messages from the reader do not depend on the database. 
Second, there is a predicate R and a sampling algorithm S such that the output 
is computed by running S on the set £ of all I D corresponding to a database entry 
(ID. A) verifying R(\D . K : t) , where t is the protocol transcript. We assume that 
R and S do not use the database (but may use the secret key Kg). Third, the 
selected database entry may be updated by an extra algorithm not depending on 
other database entries or Kg. The algorithm S is such that 

— if £ = 0 then S(£) =± 

— if £ ^ 0 then S(£) outputs an element of £. 

Finally, we assume that there exists an easily computable predicate R' such that 
if a tag ID and the reader have a matching conversation with transcript r and if 
(ID, A) is a database entry then A(ID, A;r) <£=>• R'(n) where n is the number 
of previously completed protocol executions on the tag ID side since the last suc- 
ceeded one. (A protocol execution with ID is called succeeded if it has a matching 
conversation with the reader with output ID.,) We consider adversaries who 

— create (and draw) a single tag ID 

— use Launch, SendReader, SendTag 

— use an oracle who checks the predicate R on inputs different from I D 

— use an oracle simulating S 

— end on a final SendReader to an instance n. 

The adversary wins if the protocol instance n on the reader identified tag ID but 
has no matching conversation. We say that the scheme is simply secure if the 
success probability of any such adversary is negligible. If the scheme is simply 
secure, then it is secure. 

Proof (Sketch). Let A be a strong adversary playing the security game. We can 
simulate DrawTag and Free queries and reduce to adversaries who draw tags 
once for all upon creation. Next, we can reduce to an adversary who guesses 
the first target tag ID upon creation, as well as the first target instance n. 
(The success probability is divided by a polynomially bounded factor.) Then, 
we can simulate all tags except ID so that only tag ID is really created. We show 
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by induction that Output can be generated with same distribution (except on 
7r) when the adversary knows all database entries except (ID, if). To compute 
R(\D,K;t) without knowing K, if t is non-matching then R is not satisfied, 
otherwise R' can be used. We can thus simulate the reader and Result queries. 
One trick is not to send the last message to a reader instance if the simulated 
output is not ID and to send it otherwise so that the database entry can be 
updated. By using the simple security we deduce that A has negligible success 
probability. The scheme is thus secure. □ 

2.3 Privacy of RFID Schemes 

RFID schemes are given three cryptographic properties: correctness, security, 
and privacy. Depending on the application, not all properties may be required. 
Correctness is part of the definition of RFID schemes and is implicitly assumed. 
Security (i.e. soundness of tag identification) is defined in Sectional We define 
privacy in terms of ability to infer non-trivial ID relations from protocol mes- 
sages. This generalizes the notion of anonymity (for which the I D of tags cannot 
be inferred) and untraceability (for which the equality of two tags cannot be 
inferred). 

Definition 6 (Privacy). We consider adversaries who start with an attack 
phase allowing oracle queries then pursuing an analysis phase with no ora- 
cle query. In between phases, the adversary receives the hidden table T of the 
DrawTag oracle then outputs either true or false. The adversary wins if the 
output is true. We say that the RFID scheme is P-private if all such adversaries 
which belong to class P are trivial following Def. ^ 

Definition 7 (Blinder, trivial adversary). A Blinder B for an adversary A 
is a polynomial-time algorithm which sees the same messages as A and simulates 
the Launch, SendReader, SendTag, and Result oracles to A. The blinder 
does not have access to the reader tapes so does not know the secret key nor 
the database. A blinded adversary A B is itself an adversary who does not use 
the Launch, SendReader, SendTag, and Result oracles. An adversary A 
is trivial if there exists a B such that | Pr[„4 wins] — Pr[*4 B wins]| is negligible. 

Informally, an adversary is trivial if it makes no effective use of protocol mes- 
sages. Namely, these messages can be simulated without significantly affecting 
the success probability of the adversary. We stress that our privacy notion mea- 
sures the privacy loss in the wireless link but not through tag corruption (since 
Corrupt queries are not blinded). In other words, we assume that corrupting 
a tag always compromise privacy and we only focus on wireless leakage. 

Clearly, we have the following links between privacy notions. 

strong => destructive => forward => weak 

D D Hi) 

narrow-strong =4> narrow-destructive => narrow-forward => narrow-weak 
We will show separation between all those notions. We summarize below the 
non-implications with a reference to the appropriate notes. 
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narrow-forward 
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Some non-implication results may assume the existence of standard primitives 
such as IND-CCA public-key cryptosystems, random oracles, or pseudorandom 
functions. The non- implication of destructive privacy to strong privacy is equiv- 
alent to the feasibility of destructive privacy which is open so far. 

In this model, corrupted tags can be the victims of tracing attacks, contrar- 
ily to the model of Juels-Weis m and Burmester-van Le-de Medeiros |Bj. For 
instance, the protocol O-TRAP provides privacy in the sense of jH] ■ In this pro- 
tocol, the reader sends a r\ ys challenge to the tag and the tag answers with 
some random r,; and hK i (r t sys ,n) where h is a keyed hash function and K, is 
a key which is permanently stored in the tag state. Clearly, corrupting the tag 
reveals Ki that was used in former protocols and enables to identified the tag in 
previous sessions. Hence, O-TRAP is not narrow-forward private. 

We provide a useful lemma to get rid of Result queries. 

Lemma 8. We consider an RFID scheme with the property that whenever a 
legitimate tag and the reader have some matching conversation, the reader does 
not output _L. If the scheme is secure, then narrow-forward (resp. narrow-weak) 
privacy implies forward (resp. weak) privacy. 

Proof (Sketch). Let A be a forward (resp. weak) adversary for privacy. W.l.o.g. 
we can assume that there is no Result query related to an instance that has a 
matching conversation with a legitimate tag (in such a case the answers is 1, due 
to the hypothesis). Since corruption (if any) are lately done, remaining Result 
queries are most likely to yield 0 due to security. Let B be a partial blinder 
for A who blinds all Result queries: for all such queries, the simulated answer 
0 is returned. We further define an adversary A ' playing the security game by 
simulating A and ending before the Corrupt queries. Let E be the event that 
one of the Result queries in A would answer 1. When E does not occur, A and 
A B produce the same result. Since the scheme is secure, E occurs with negligible 
probability. We obtain that A is as effective as the narrow-forward (resp. narrow- 
weak) adversary A B . By blinding A B due to the privacy hypothesis, we obtain 
that A is as effective as A c for some blinder C. □ 

3 Separation Results 

3.1 Strong Privacy Is Impossible 

Theorem 9. A destructive-private RFID scheme is not narrow-strong private. 
Namely, no RFID scheme can achieve privacy with respect to the class 

DESTRUCTIVE U (NARROW n STRONG). 
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Note 10. As a consequence, strong privacy cannot be achieved. As another con- 
sequence, narrow-strong privacy (which is achieved by the scheme of Th. El 
does not imply strong privacy. Similarly, forward privacy (which is achieved by 
the same scheme) does not imply destructive privacy. 

Proof. Let us consider the following destructive adversary A who simulates to 
the reader a tag with state S& which is either forged (.So) or the one of a corrupted 
legitimate tag (Si). The adversary yields true if and only if the reader recognizes 
the right case (from Result). 


1: (-,S 0 ) SetupTag ifp (ID 0 ) 

2: CreateTag(IDi) 

3: (vta gl , •) <- DrawTag(IDi) 


6: 7r <- Launch 

7: simulate tag of state St, with tt 
8: x <— Result(7t) 


4: Si <— CoRRUPT(vta gl ) (destroy it) 9 . output whether x = b 
5: flip a coin b G {0, 1} 

The complexity of this adversary is polynomial. Clearly, if the protocol execution 
is correct, the adversary succeeds. Thus, 1 — Pr[A wins] is negligible. Hence, if we 
have destructive privacy, there must exist a blinder B such that 1— Pr[A s wins] is 
negligible as well. If we now look at a privacy game from the blinder perspective, 
it works as follows: 

— blinder receives a public key Kp 

— blinder gets one tag state Si (by looking at the answer from Corrupt) 

— blinder impersonates a reader to a tag whose state is either Si or some 
unknown So depending on some unknown bit b 

— with high probability, blinder guesses b 

Indeed, a blinder is a distinguisher who never uses the secret key of the reader 
between a tag with known state and a random one. This means that for a 
destructive-private scheme, it must be possible to identify tags whose states 
are known a priori. We can use this blinder to construct the following narrow- 
strong adversary. Basically, the adversary creates and corrupt two legitimate 
tags, feeds the previous distinguisher with one of the tag states, and makes one 
of the two tags interact with it. If the distinguisher distinguishes well, the output 
is true. 

1 : create tag ID 0 and tag IDi 
2 : draw both tags 

3: corrupt both tags and get their states So and Si 
4: free both tags 

5: draw a random tag: (vtag, •) *— DRAWTAG(Pr[ID 0 ] = Pr[IDi] = |) 

6 : simulate B with input Kp. Si, and interacting with vtag and get bit x 
7: get T and output whether T(vtag) = ID,. 

This adversary A ' has polynomial complexity and 1 — Pr[_4/ wins] is negligible. 
Clearly, for any blinder B' we have Pr[A ,S wins] = \. Hence the scheme is not 
narrow-strong private. □ 
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3.2 Narrow-Strong Privacy Requires Key Agreement 

A key agreement protocol Cl is an interactive protocol between two participants 
Alice and Bob with common public input set to the security parameter s which 
ends with a common output bit (the key), except with negligible probability. We 
assume that Alice initiates the protocol and that Bob responds. The protocol is 
secure (against passive adversary) if the probability that any polynomial-time 
algorithm that is fed with the common input and the protocol transcript has a 
negligible advantage over \ to guess the key bit. 

We recall that a 2-round key agreement protocol can define a public-key cryp- 
tosystem. Rudich m proved a separation between key agreement in k + 1 rounds 
and key agreement in k rounds, for any k. That is, a separation exists between 
key agreement in k rounds (for k 2) and a public-key cryptosystem. Neverthe- 
less, we do not know any efficient key agreement protocol based on conventional 
cryptography only. We use this fact to show that RFID schemes which achieve 
narrow-strong privacy need more than conventional cryptography techniques. 

Theorem 11. A narrow-strong private RFID scheme can be transformed (in 
polynomial time) into a secure key agreement protocol with same number of 
rounds in which Alice simulates SetupTag and the reader and Bob simulates 
the tag. 

This means that any RFID scheme based on a pseudorandom function or a digital 
signature scheme only is unlikely to be narrow-strong private. Indeed, the tag 
workload should be at least the same as a responder Bob in a key agreement 
protocol of same number of rounds. For two-round protocols, this is equivalent 
to a public-key encryption algorithm (the reader does the decryption). 

Proof We construct a protocol that securely sends a key bit b from Bob to Alice. 
Intuitively, Alice first creates two legitimate tags and sends their initial states to 
Bob. Then, Alice simulates the reader and Bob simulates either tag depending 
on the key bit. By identifying the tag, Alice gets b. 

1: Alice: (K P , Kg) <— SetupReader(l s ) 

2: Alice: (K 0 ,So) <- SetupTag Kp (ID 0 ), <- SetupTag Xp (ID 1 ) 

3: Alice sends (Kp,Sq,Si) to Bob and simulates the reader protocol with 
database {(ID 0 ,K 0 ), (ID,, K t )} 

4: Bob simulates the tag protocol with state St, and interact with Alice 
5: Alice sets a such that ID a = Output 

If the instance of the protocol is correct, Alice obtains a = b. This proves the 
correctness of the key agreement. Note that the number of message rounds 
is the same as in the RFID protocol. An adversary is an algorithm V which 
takes (K P , So, Si) and the transcript r of the RFID protocol and returns a 
bit V(Kp,So,Si,t). We can now define an adversary A against the RFID 
scheme. 

1: create tag ID 0 and tag IDi, draw them, corrupt them, get their states So and 
Si, and free them 

2: draw a random tag (vtag, •) <— DRAwTAG(Pr[ID 0 ] = Pr[IDi] = i) 
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3: (• , t) < — EXECUTE(vtag) 

4: set a = V(K P , So, $i,t) 

5: get T and output whether T(vtag) = ID a 

Clearly, this is a narrow-strong adversary such that Pr[^4 wins] = Pr [P wins]. 
There must exist a blinder B such that Pr[.A wins] — Pr[.A B wins] is negli- 
gible. Clearly, A B gets no information on whether I Do or IDi is drawn, so 
Pr \A b wins] = 5. Hence, Pr [P wins] — \ is negligible: the key agreement proto- 
col is secure. □ 

We can similarly prove the following result. 

Theorem 12. A narrow-forward private stateless RFID scheme can be trans- 
formed into a secure key agreement with same number of rounds. 

This is why protocols like OSK j3D| require tags to update their states. 

Proof. We proceed as before and use the following adversary A. 

1: create tag ID 0 and tag IDi 

2: draw one tag at random (vtag, •) <— GETTAG(Pr[ID 0 ] = Pr[IDx] = |) 

3: (• , t) <— EXECUTE(vtag) 

4: FREE(vtag) 

5: draw tag I Do and tag IDi, corrupt them, get their states So and S'i 
6: set a = V(K P , So, Si, r) 

7: get T and output whether T(vtag) = ID a 
We observe that Execute does not modify the state of vtag. □ 

4 Case Studies 

4.1 Weak Privacy Based on a Pseudorandom Function 

We first construct a weak-private and secure protocol based on a pseudoran- 
dom function family (PRF). Let (Ps,if)ji-e{o,i} fe ( s ) be a family of functions from 
{0, 1}^( S ) to {0, 1} 7 C). We say it is a PRF if k,S, 7 are polynomially bounded, 
if 2~' 5 C), anc l 2 - 'd s ) are negligible, if F s . K (x) is computable in polynomial time, 
and if any distinguisher with polynomial complexity has a negligible advantage 
for distinguishing an oracle simulating F s> k initialized with a random K from 
an oracle initialized with a truly random function. For more readability we omit 
the parameter s. 

We construct an RFID scheme as depicted on Fig. d with a = /? = |. The 
algorithm SetupTag(ID) simply picks a random fc-bit key K and sets S = K. 

1. Reader picks a random a-bit string a and sends it to tag. 

2. Tag with state S sends a random /3-bit string b and c = Eg (a, b) to reader. 

3. Reader looks for (ID, K) in the database such that c = Fjy(a, b) and gets ID. 

This protocol is essentially equivalent to the ISO/IEC 9798-2 3-pass mutual 
authentication protocol that is used in 0 and to the CR building block of m, 
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Tag System 

state: S (S = K) {. . . , (ID, K ), . . .} 

pick b € {0, 1}^ * pick a £ {0, 1}“ 

c = F s {a, b ) — > find (ID, K) s.t. c = F K (a, b) 

output: ID or _L if not found 

Fig. 1. A Weak-Private RFID Scheme based on PRF 

both without their third pass (the reader authentication pass) . The randomized 
Hash-Lock identification scheme is this one with no a. But this opens the 
door to delay attacks where the reader protocol is launched after the tag protocol 
completed (so conversation are no longer matching). ISO/IEC 9798-2 2-pass 
unilateral authentication is this protocol with no b m. But this opens the door 
to privacy threats by replaying a. 

Theorem 13. If F is a PRF, the above RFID scheme is secure and weak 
private. 

Note If. The scheme is clearly not narrow- forward private since afterward cor- 
ruption makes it possible to link tags. So, as corollary of this theorem, weak 
privacy does not imply forward privacy and narrow-weak privacy does not im- 
ply narrow-forward privacy. 

Proof. Correctness. No false negative is possible here. False positives and incor- 
rect identifications are possible when given the selected tag key K and ( a,b ) 
values, there exists K' ^ K in the database such that Fx{a,b ) = Fk> (a, b). 
Let us assume that we have n legitimate tags in addition to a subject tag. We 
construct a distinguisher that simulates the creation of the n tags and simulates 
a protocol between the subject tag and the reader. To compute F K on a given 
input with the subject tag, A sends the input to an oracle which returns the 
output. If the subject tag is correctly identified in the simulation, A answers 1, 
otherwise it answers 0. This is a distinguisher for F, so it has a negligible advan- 
tage. When the oracle implements a random function, the probability of incorrect 
identification is bounded by n2~ ry which is negligible. Hence, the probability of 
incorrect identification with the right oracle is also negligible. 

Security. We first note that the protocol suits the special form in Lemma El 
where R(\D. K: a. b, c) -<=> F^(a, b) = c and R! is always true. We can thus 
prove simple security and apply Lemma El 

Let A be an adversary for simple security with a single tag ID. W.l.o.g. we 
assume that A does not call R since R can be simulated. Since database entries 
are never modified we can reduce to the case where only the target n is launched 
and others are simulated. A calls SendReader(tt) — > a at time t and ends by 
SendReader((5, c), 7r). A further calls SendTag(u,;, ID) — > (6*, Cj) at time t[. A 
wins if c = Fk{cl , b) and for every i such that t < t\ we have (o n , bi, cf) ^ (a, b, c) 
(namely: conversations are not matching). As for correctness, let A / be an algo- 
rithm who simulates A and all oracles then looks whether the attack succeeded. 
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To simulate SENDTAG(aj, ID), A! simply picks a random bi and queries an oracle 
F with ( di,bi ) to get c, and returns (bi, c,;). To determine whether the attack 
succeeded, A' queries the oracle F again. Clearly, A and A' interacting with an 
oracle simulating F K have the same success probability. A! can be considered as 
a distinguisher between F and a truly random function. Since F is pseudoran- 
dom, the distinguisher has negligible advantage, so A! interacting with an oracle 
simulating a random function has similar success probability as A. If t( < t, 
Pr[d = a,;] is negligible. If now t < t' i} wining cases are for (a,;, bi, Ci) ^ (a, 6, c), 
Ci = F(ai,bi), c = F(a,b), thus ^ (a, b). However, if (ai,6j) ^ (a, b), the 

value for F(a, b) before the final query is free so Pr[c = F(a, b)} = 2~ k , which is 
negligible. Therefore, A succeeds with negligible probability. This proves simple 
security. Lemma El concludes. 

Weak Privacy. Thanks to LemmalHI we only have to prove narrow-weak privacy. 
We want to prove that, for any narrow-weak adversary A, there exists a blinder 
B such that A has no significant advantage over A B . Let B be the blinder who 
simulates SendTag(o, vtag) by answering with a random (b, c). 

Clearly, all Launch and SendReader queries can be perfectly simulated 
so we assume w.l.o.g. that these oracles are no longer used. We use the proof 
methodology of Shoup m- Let game 0 = game 1 (0) be the privacy game. 

Let game 1 («) be the same game as game 1 (i — 1) in which the fth created tag is 
simulated using an ad-hoc random oracle Fi from {0, 1}“+^ to {0, l} 7 to compute 
F Ki (a,b) = Fi(a,b). Clearly, |Pr[.4 wins game 1 (i)] — Pr[.A wins game^f — 1)]| 
can be expressed as a distinguisher advantage for F so it is negligible. Let 
game! = game 1 (n) where n is the number of tags. Since n is polynomial, 

| Pr[.A wins game^ — Pr[.A wins game 0 ]| is negligible. 

Let game 2 be the same game as game! in which the adversary wins when 
SendTag never picked a duplicate b. This duplication happens with probability 
bounded by q 2 - 2 - ^ where q is the number of SendTag queries. Clearly, this prob- 
ability is negligible. Hence | Pr[.A wins game 2 ] - Pr[*4 wins game 0 ]| is negligible. 

Using B, Vr[A B wins game 2 ] - Vr[A B winsgame 0 ]| is negligible as well. 
Clearly, the B simulation is perfect when there is no duplicate b. This leads 
us to | PrfA 8 wins game 2 ] — Pr[_4. wins game 2 ]| being negligible. Finally, we ob- 
tain that |Pr[.A B wins game 0 ] — Pr[.A wins game 0 ]| is negligible. Hence, A is a 
trivial adversary. □ 

4.2 Narrow-Destructive Privacy in the Random Oracle Model 

We now consider a new scheme based on two oracles F and G running random 
functions from {0, l}“ +fc and {0, l} k to {0, 1} fc , respectively. The tag generation 
algorithm SetupTag(ID) picks a random fc-bit key K and sets the initial state to 
S = K. The protocol works as depicted on Fig. El 

1. Reader picks a random a-bit string a and sends it to tag. 

2. Tag with state S sends c = F(S, a) then refreshes its state S with G(S). 

3. Reader looks for (ID, if) in the database such that c = F(G % (K),a) with 
i < t, gets ID, and replaces (ID, K) by (ID, G l (K)) in the database. 
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Note that after t iterations without the reader a tag can no longer be identified. 
Thus, this scheme does not satisfy the hypothesis of LemmalHI (See also Note El) 
As opposed to the previous construction, F and G cannot be just PRFs since 
the adversary can get the code of F and G by corrupting a tag. 


Tag 

state: S 

e F(S, a) 
replace S by G(S) 


System 

(S = K) {. . . , (ID, K ), . . .} 

pick a € {0, 1}“ 

> find (ID, K) and i s.t. 

c=F{G i {K),a) and i <t 
replace K by G l (K ) 
output: ID or T if not found 


Fig. 2. A Narrow-Destructive-Private RFID Scheme based on a Random Oracle 


The OSK protocol j.'KII.'l l| uses no a, so delay attacks can be made. Avoine et al. 
0 proposed to add a random a and use c = F(S © a). Dimitriou P0 proposed 
to add a (useless) 6 and to send F(S) and b in addition to c = F(S. a, 6)0 

Theorem 15. Assuming that k and t are polynomially bounded and that 2~ k 
is negligible, the above scheme is a secure and narrow- destructive private RFID 
scheme in the random oracle model. 

Note 1 6. This is not narrow-strong private since early corruption enables to link 
tags. So, narrow-destructive privacy does not imply narrow-strong privacy. 

Note 17. We can artificially tweak the protocol of Th. ESI to get narrow- forward 
privacy but not narrow-destructive privacy, which separates the two models. 
To do so, we add in all tag states a common secret K s such that when a tag 
receives a = K s it outputs c= S. Readers should not select a = K s but narrow- 
destructive adversaries could do so after a tag is sacrificed to leak K s . Obvi- 
ously, the scheme is no longer narrow-destructive private. Nevertheless, it is still 
narrow-forward private since corruption output cannot be used in interaction. 

Note 18. As pointed out in Juels-Weis 123, a weak adversary against the scheme 
of Fig. El could run a sort of denial of service. The adversary proceeds as follows. 

1: CreateTag(IDo), CreateTag(IDi) 

2: vtag 0 <- DrawTag(IDo) 

3: for i = 1 to t + 1 do 
4: pick a random x 

5: SendTag(:e, vtag 0 ) 

6: end for 
7: FREE(vtag 0 ) 

4 Sending F(S) is used to decrease the workload in optimistic cases. 
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8: (vtag, •) <- DRAwTAG(Pr[ID 0 ] = Pr[IDi] = A) 

9: (7 r, •) <— ExECUTE(vtag) 

10: X i— RESULt(7t) 

11: get T and output whether T(vtag) = ID X 

Clearly, Pr[_A wins] = 1, but for any blinder B, we have Pv[A B wins] = A. So 
this weak adversary is not trivial. Hence, narrow-destructive privacy does not 
imply weak privacy. 

Proof. Correctness. False negatives are not possible. False positives and wrong 
identifications are possible when given K, a, b, and i, there exist K' and j < t 
such that K' K and F(G z (K),a,b) = F{0{K'),a, b). In the random oracle 
model, the probability of such event is at most nt 2 2~ k , which is negligible. 

Security. We apply LemmaEl where oracle i?(ID, K\ a, c) simply checks that there 
exists i < t such that F(G l (K). a) = c and R'{n) n <t. By using standard 
random oracle techniques, we can assume that A never queries F with G Z (K) 
for i = (),... . t. + n — 1 and n is the number of SendTag queries. 

We proceed as in the proof of Th. EDwith same notations. If t\ < t, Pr[a = a*] 
is negligible. If t < t\, wining cases are for (a*, cf) ^ (a, c ) and c = F(G :t (K), a) 
for some j smaller than t. Since A never queried F with any G 7 (K) and the 
tag did not query it with any (G J "{if), a), the values of F[0(K), a) are free so 
Pr[c = F(G j (K),a);j <t\ = t2~ k , which is negligible. 

Narrow-Destructive Privacy. Clearly, all Launch and SendReader queries are 
trivial to simulate since no Result query is allowed. So, we assume w.l.o.g. that 
no such query is made. We want to prove that, for any adversary A there exists 
a blinder B such that A has no significant advantage over A B . 

Let E (resp. E') be the event that at least one of the queries by A to the F 
or the G oracles equals one query made (resp. that should have been made if it 
was not blinded) by some SENDTAG(a, vtag) query. 

SendTag queries are simulated by B by returning a random c. Note that there 
is no SendTag query to corrupted tags since adversaries are destructive. This 
simulation is perfect (in the sense that the adversary and the blinded adversary 
recover the same information about the virtual tag from the protocol transcript) 
when the event E does not occur. Namely, Pr[^4 wins|-iE] = Pr[^4 s wins| <F/] 
and Pr[E] = Pr[_E']. 

Hence, |Pr[.4 wins] — Pr[A B wins]| < Pr[f?]. If q queries to F and G were 
made by A, in the worst case A knows that all G l (N)’s are in a set of 2 k — q 
values. Note that no Corrupt query gives information on any G l (K) that can 
be used by any SendTag query. The probability to pick one is at most 
where n is the number of tags. Hence, E occurs with probability at most 
which is negligible. □ 

4.3 Narrow-Strong and Forward Privacy Based on a PKC 

We now achieve narrow-strong and forward privacy using public-key cryptog- 
raphy. We use the standard definitions of public-key cryptosystems (PKC), 
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IND-CPA and IND-CCA security jtill 3121)129134] . A PKC consists of a key gen- 
erator, a probabilistic encryption algorithm, and a deterministic decryption al- 
gorithm. It must be correct in the sense that the decryption of the encryption 
of any x is always x. The scheme is IND-CPA-secure (resp. IND-CCA-secure) if 
all polynomial-time adversaries win the IND-CPA (resp. IND-CCA) with neg- 
ligible advantage. In the IND-CPA game, the adversary receives a public key, 
submits two plaintexts, receives the encryption of one of the two, and tries to 
guess which plaintext was encrypted. In the IND-CCA game, the adversary can 
query a decryption oracle, except on the received ciphertext. 


Tag System 

state: Kp,\D,K ( K = Fk m { ID)) secret keys: Ks,Km 

< pick a e (0, 1}“ 

c = Encjf p (ID||A||a) *• parse Decir s (e) = ID||A||a' 

check K = F Km (ID) 
output: ID or T if failed 

Fig. 3. A Narrow-Strong and Forward -Private RFID Scheme based on a PKC 


We initialize the scheme by generating a private/public key pair ( Ks , Kp ) for 
the Enc/Dec PKC. The tag generation algorithm SetupTag(ID) picks a random 
fc-bit key K and sets the initial state to S = (Kp, ID, K). We assume that k and 
a are polynomial. The protocol works as depicted on Fig. 0 

1 . Reader sends an identification request with an a-bit random a. 

2. Tag calculates c = Enciy p (ID||A'||a) and sends c to the reader. 

3. Reader gets ID||.fr||a = Dec^ s (c) and checks that a is correct and that 
(ID, K) is in database]! 

Theorem 19. If the public-key cryptosystem is IND-CPA-secure then the above 
RFID scheme is narrow-strong private. If the cryptosystem is IND-CCA-secure 
and 2~ k is negligible, the RFID scheme is further secure and forward private. 

Namely, with an IND-CCA PKC, this RFID scheme achieves privacy with re- 
spect to the class 

FORWARD U (NARROW n STRONG). 

Due to Th. E| this scheme is not strong private so narrow-strong privacy does 
not imply strong privacy and forward privacy does not imply strong privacy. 

Proof. Correctness. This comes from the correctness of the cryptosystem. 

Narrow-Strong Privacy. We prove that for any narrow-strong adversary A there 
exists a blinder B such that A has no significative advantage over A B . Since the 

5 Using K = Fk m (ID) as depicted on Fig. El given a PRF F and a master secret K M 
does not modify our result. The same simplification could apply to the scheme of 
Fig. Q]as well, in order to shrink the database. 
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reader just sends random a and no Result query is allowed, every Launch and 
SendReader query can be simulated in a trivial way so we can assume without 
loss of generality that no such query is done. We construct the blinder by using 
standard hybrid arguments. We consider the hybrid blinder Bi which works as 
follows: any of the i first SendTag queries with input a, returns the encryption 
c of a random r of same length as ID||Rf||a. Other SendTag queries by A are 
forwarded to the SendTag oracle. 

The adversary, hybrid blinders, and tags can be simulated without using Ks- 
Let Si be a simulator for the A Bi attack except for the ith SendTag query which 
is indeed released. We use Si to play the IND-CPA game. At the beginning, Si 
receives Kp and runs the simulator for A Bi . At the moment of the ith query 
a, Si computes mo = ID||Rj|a as £>,_i would do to simulate the tag, computes 
mi = r as B t would do, and submits mo and mi to the IND-CPA game. Si 
receives an encrypted value c of either mo or mi that is used to respond the 
query and continues the simulation. At the end, Si looks whether A Bi won the 
privacy game or not. If it won, Si outputs 0. Otherwise, Si outputs 1. Clearly 
A = A B °, Adv IND (A, : ) = Pr^- 1 wins] - Pr[A n ’ wins], and B = B qT is a full 
blinder where qt is the number of SendTag queries. The complexity of Si is 
polynomial. Due to IND-CPA security, | Pr[A wins] — Pr[A B wins]| is negligible. 

Security. The protocol suits the special form in Lemma 0 where i?(ID, K; a, c) 
means Decjf s (c) = ID||Rj|a and R' is always true. We can thus prove simple 
security and apply Lemma El 

Let A be an adversary for the simple security game with a single tag I D and 
a single instance n (others are simulated). W.l.o.g. A does not query /?(■; -,c) 
when there is a protocol transcript (-,c). (The first input of R queries cannot 
be ID thus R cannot be satisfied.) A queries SendReader(tt) — > a at time 
t, SendTag^, ID) — ► Cj at time f', and ends by SendReader(c, 7t). If t\ < t, 
Pr [dj = o] is negligible. If t < wining cases are for (a. c) ^ (a t . Cj), Dec^ s (c) = 
ID||Ar||o, and Decic s (cj) = ID]]Jf]|ai. Hence, w.l.o.g. we can assume that c* 
for all i. 

We construct a partial blinder B t as before. We construct a simulator Si 
for A Bi playing the IND-CCA game as before. Si terminates by determining 
whether A succeeded by calling c to a decryption oracle. Finally, by using the 
IND-CCA security, we obtain a blinded adversary A B such that | Pr[A wins] — 
Pr[A B wins] | is negligible. Clearly, if the tag is no longer used and the reader 
leaks no information, making it identify the tag reduces to guessing the tag key 
K which can only happen with probability 2~ k , which is negligible. 

Forward Privacy. Narrow-forward privacy implies forward privacy thanks to 
Lemma |B1 □ 

5 Conclusion 

We have proven that public-key cryptography can assure the highest level of 
feasible privacy in RFID: narrow-strong and forward privacy, even with stateless 
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protocols. We have shown narrow-destructive privacy for an OSK-like protocol 
in the random oracle model. Finally, we have proven weak privacy for a simple 
challenge-response protocol. The problem of achieving destructive privacy or 
forward privacy without public-key techniques are left open. 

Acknowledgment. I thank Gildas Avoine for providing many useful references. 
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Obtaining Universally Compoable Security: 
Towards the Bare Bones of Trust* 

Ran Canetti 

IBM T.J. Watson Research Center 


Abstract. A desirable goal for cryptographic protocols is to guarantee 
security when the protocol is composed with other protocol instances. 
Universally Composable (UC) security provides this guarantee in a strong 
sense: A UC-secure protocol maintains its security properties even when 
composed concurrently with an unbounded number of instances of arbi- 
trary protocols. However, many interesting cryptographic tasks are prov- 
ably impossible to realize with UC security, unless some trusted set-up 
is assumed. Impossibility holds even if ideally authenticated communi- 
cation channels are provided. 

This survey examines and compares a number of set-up assumptions 
(models) that were recently demonstrated to suffice for constructing 
UC-secure protocols that realize practically any cryptographic task. We 
start with the common reference string (CRS) and key registration (KR) 
models. We then proceed to the “sunspot” models, which allow for some 
adversarial control over the set-up, a number of models which better 
captures set-up that is globally available in the system, and a timing 
assumption. Finally, we briefly touch upon set-up models for obtaining 
authenticated communication. 


1 Introduction 

Designing protocols that guarantee security in open, multi-protocol, 
multi-party execution environments is a challenging task. In such environ- 
ments a protocol instance is executed concurrently with an unknown number 
of instances of the protocol, as well as arbitrary other protocols. Indeed, it 
has been demonstrated time and again that adversarially-coordinated interac- 
tions between different protocol instances can compromise the security of pro- 
tocols that were demonstrated to be secure when run in isolation (see, e.g., 
|gk89 ddnUU ksw97 dns98 klrOG CanOG ). A natural way for guarantee- 
ing security of protocols in such complex execution environments is to require 
that protocols satisfy a notion of security that provides a general secure com- 
posability guarantee. That is, it should be guaranteed that a secure protocol 

* This survey complements a talk given by the author at this conference. Work sup- 
ported by NSF grants CT-0430450 and CFF-0635297, and US-Israel Binational 
Science Foundation Grant 2006317. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 88- |ll2,| 2007. 
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maintains its security even when composed with (i.e., runs alongside) arbitrary 
other protocols. Such a general notion of security is provided by the universally 
composable (UC) security framework mi which provides a very general compos- 
ability property: A UC secure protocol is guaranteed to maintain its security 
(in the sense of emulating an ideally trusted and secure service) even when run 
concurrently with multiple copies of itself, plus arbitrary network activity. 

Which cryptographic tasks are realizable by protocols that guarantee UC se- 
curity? Are existing protocols, which are known to be secure in a stand-alone 
setting, UC secure? When the majority of the parties are honest (i.e., they are 
guaranteed to follow the protocol) , the general feasibility results for stand-alone 
secure computations can be extended to the case of UC security. In fact, some 
known protocols for general secure function evaluation turn out to be UC secure. 
For instance, the [BOW88| protocol (both with and without the simplification of 
ES5SSI), together with encrypting each message using non-committing encryp- 
tion |CFGN9fij , is universally composable as long as less than a third of the parties 
are corrupted, and authenticated and synchronous communication is available. 
Using |RBK9| , any corrupted minority is tolerable. Asynchronous communication 
can be handled using the techniques of [bcoBMI Ibkr.94] , Note that here some 
of the participants may be “helpers” (e.g., dedicated servers) that have no local 
inputs or outputs; they only participate in order to let other parties obtain their 
outputs in a secure way. 

However, things are different when honest majority of the parties is not guar- 
anteed, and in particular in the case where only two parties participate in the 
protocol and either one of the parties may be corrupted: It turns out that many 
interesting tasks are impossible to realize in the “bare” model of computation. 
Impossibility holds even if ideally authenticated communication is guaranteed. 
(In keeping with common terminology, we use the terms plain protocols and proto- 
cols in the plain model to denote protocols that assume ideally authenticated com- 
munication but no other set-up.) For instance, basic cryptographic tasks such as 
Bit Commitment, Coin- Tossing, Zero- Knowledge, or Oblivious Transfer cannot 
be realized by plain protocols, when naturally translated to the UC framework. 
Impossibility also extends to many other tasks jCFUll Id) II IcklOMI iDDMRSUdj . 
including multi-party extensions of these primitives, whenever the honest parties 
are not in majority. 

One potential approach for circumventing these impossibility results is to 
come up with relaxed notions of security that would still guarantee meaningful 
composable security, and at the same time would be realizable by plain pro- 
tocols. It turns out, however, that such an approach will necessarily result in 
notions of security that either do not provide general composability guarantees, 
or alternatively are too weak to guarantee even stand-alone security as in, say, 
|d)()j (see e.g. jT.lldl lr,04IICAN()fij V Still, some meaningful such relaxations exist, 
see e.g. |pst)4l IbsUHI iMMYUtij . 

Another approach is to stick with UC security, but consider protocols that 
rely on some trusted set-up assumption on the system. Here the meaningfulness 
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of the security guarantee hinges on the “reasonability” of the set-up assumption, 
or in other words on the ability to realize the assumed set-up in actual systems. 

This survey studies some set-up assumptions (or, models) that were recently 
proposed and shown to suffice for realizing essentially any cryptographic task in 
a universally composable way. The various set-up models are compared to each 
other, and the relative strengths and weaknesses are discussed. 

The survey is organized as follows. Section 0 provides a brief review of the 
UC security framework. Section 0 reviews the basic impossibility result for ob- 
taining UC commitment in the plain model. Section 0 reviews the common ref- 
erence string (CRS) set-up. Section 0 reviews the key registration (KR) set-up. 
Section 0 reviews the adversarially controlled CRS (Sunspot) set-up. Section 0 
reviews the augmented CRS (ACRS) set-up. Section 0 reviews the first set-up 
assumption, which relates to the delays on message delivery. Section 0 briefly 
discusses st-up assumptions for the purpose of obtaining authenticated commu- 
nication. Section |TQ1 concludes and discussed some open problems. 


2 UC Security: A Brief Review 

This section briefly reviews the UC framework. As in many other frameworks 
(e.g., [GLflfll iMRflll IBP II ICOOI IpwOOI iPWUlj b the security of protocols with re- 
spect to a given task is defined via the “trusted party paradigm” |OMWd7j , where 
the protocol execution is compared with an ideal process where the outputs are 
computed by a trusted party that sees all the inputs. That is, a protocol is said 
to securely carry out a given task if running the protocol with a realistic ad- 
versary amounts to “emulating” the ideal process with the appropriate trusted 
party. We call the algorithm run by the trusted party an ideal functionality. 

The UC framework substantiates this approach as follows. First, the process of 
executing a protocol in the presence of an adversary and in a given computational 
environment is substantiated. Next, the “ideal process” for carrying out the 
task is substantiated. Finally, one defines what it means for an execution of the 
protocol to “mimic” the ideal process. We sketch these three steps. 

The Model of Protocol Execution. The model for executing an multiparty 
protocol 7r consists of a system of computing elements (modeled as interactive 
Turing machines, or ITMs) [Z, A, Mi, M 2 , ...) where Z and A are adversar- 
ial entities called the environment and adversary, respectively, and the machines 
Mi, M 2 , ... represent parties that run an “extended instance” of it. (An instance 
of protocol 7r is a set of ITMs that run 7 r and in addition have a common iden- 
tifier, called the session ID. The number of parties in an instance may vary 
from instance to instance, as well as during the lifetime of an instance.) Intu- 
itively, the environment represents all the other protocols running in the system, 
including the protocols that provide inputs to, and obtain outputs from, the 
protocol instance under consideration. The adversary represents adversarial ac- 
tivities that are directly aimed at the protocol execution under consideration, 
including attacks on protocol messages and corruption of protocol participants. 
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An execution of the system consists of a sequence of activations of the individ- 
ual elements, where the environment is activated first, and in each activation the 
active element determines the next element to be active, by sending information 
to it. This information may be labeled as either input, output, or protocol mes- 
sage. We impose the following restrictions on the way in which the above system 
runs. The environment 2 is allowed to provide only inputs to other machines. 
A party of 7 r may send messages to A, or give inputs to the environment. The 
adversary A may give output to 2 or send messages to other parties. 

Let exec k,a,z(z) denote the random variable (over the local random choices 
of all the involved machines) describing the output of environment 2 when inter- 
acting with adversary A and parties running protocol 7r on input 2 r as described 
above. Let EXECV^z denote the ensemble {EXEC Ti ^.z(^)}^e{o,i}* ■ We restrict 
attention to the case where the environment outputs only a single bit; namely, 
the ensemble exec, t ,a,z is an ensemble of distributions over {0,1}. 

Subroutines. For the purpose of formulating the ideal process and the notion 
of protocol composition it will be convenient to allow designating an ITM as 
a subroutine of another ITM. If an ITM M is a subroutine of M' then M' 
can give input to M and M can give output to M\ Note that M and M may 
have different session ID and run different codes. The above model of protocol 
execution is then extended in the natural way to protocols where the parties have 
subroutines, with the important restriction that the environment only provides 
inputs to and receives outputs from the parties of a single instance of 7r. In 
particular, it does not directly communicate with any subroutine of a party of 
that single instance. 

Ideal Functionalities and Ideal Protocols. Security of protocols is defined 
via comparing the protocol execution to an ideal process for carrying out the 
task at hand. For convenience of presentation, we formulate the ideal process 
for a task as a special protocol within the above model of protocol execution. 
(This avoids formulating an ideal process from scratch.) A key ingredient in this 
special protocol, called the ideal protocol, is an ideal functionality that captures 
the desired functionality, or the specification, of the task by way of a set of 
instructions for a “trusted party” . 

That is, let T be an ideal functionality (i.e., an algorithm for the trusted 
party). Then an instance of the ideal protocol ideal^e- consists of dummy parties, 
plus a party T that’s a subroutine of all the main parties. Upon receiving an input 
v, each dummy party forwards v as input to the subroutine T . Any subroutine 
output coming from T is forwarded by the dummy party as subroutine output for 
the environment. We note that T can model reactive computation, in the sense 
that it can maintain local state and its outputs may depend on all the inputs 
received and all random choices so far. In addition, T may receive messages 
directly from the adversary A, and may contain instructions to send messages 
to A. This “back-door channel” of direct communication between T and A 
provides a way to relax the security guarantees provided T. Specifically, by 
letting T take into account information received from A , it is possible to capture 
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the “allowed influence” of the adversary on the outputs of the parties, in terms 
of both contents and timing. By letting T provide information directly to A it 
is possible to capture the “allowed leakage” of information on the inputs and 
outputs of the parties. 

Protocol Emulation. It remains to define what it means for a protocol to 
“mimic” or “emulate” the ideal process for some task. As a step towards this 
goal, we first formulate a more general notion of emulation, which applies to 
any two protocols. Informally, protocol ir emulates protocol 0 if, from the point 
of view of any environment, protocol 7 r is “just as good” as 0, in the sense 
that no environment can tell whether it is interacting with 7r and some (known) 
adversary, or with 0 and some other adversary. More precisely: 

Definition (protocol emulation): Protocol it UC-emulates protocol 0 if for 
any adversary A there exists an adversary S such that, for any environment 
Z the ensembles exec n ,A,z and exec^s^ are indistinguishable. That is, on 
any input, the probability that Z outputs 1 after interacting with A and parties 
running n differs by at most a negligible amount from the probability that Z 
outputs 1 after interacting with S and 0. 

Once the general notion of protocol emulation is defined, the notion of realizing 
an ideal functionality is immediate: 

Definition (realizing functionalities): Protocol 7 r UC-realizes an ideal func- 
tionality T if 7r emulates ideal^t, the ideal protocol for T . 


2.1 The Universal Composition Theorem 

As in the case of protocol emulation, we present the composition operation and 
theorem in the more general context of composing two arbitrary protocols. The 
case of composing ideal protocols follows as a special case. 

The Universal Composition Operation. The universal composition oper- 
ation is a natural generalization of the “subroutine substitution” operation for 
sequential algorithms to the case of distributed protocols. That is, let p be a pro- 
tocol that contains instructions to call protocol protocol ^ as a subroutine, and 
let 7r be a protocol that UC-emulates 0. The composed protocol, denoted p 7T ^f 
is the protocol that is identical to p, except that each instruction to call protocol 
0 is replaced with an instruction to call protocol 7r with the same parameters an 
inputs. Similarly, any output from a party running n is treated as an input form 
a party running 0. In particular, if some party running p calls multiple instances 
of 0, differentiated via their session IDs, then the corresponding instance of 
will use multiple instances of p. 

The Composition Theorem. In its general form, the composition theorem 
says that if protocol 7r UC-emulates protocol 0 then, for any protocol p, the 
composed protocol p n ^ emulates p. This can be interpreted as asserting that 
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replacing calls to <j> with calls to n does not affect the behavior of p in any 
distinguishable way. 

There is one caveat: For this result to hold we need that protocols tt and 
p are “nice” in that only the main parties of the protocol have I/O with the 
outside world. More precisely, say that a protocol n is subroutine respecting if 
only the main parties of any instance of n receive input from external parties and 
send output to external parties. In particular, subroutines of the main parties, 
and subroutines thereof, do not directly get inputs from or send outputs to an 
external party. Then: 

Theorem (universal composition): Let p. (p. tt be subroutine respecting pro- 
tocols such that p uses cj) as subroutine and n UC-emulates <f>. Then protocol p n ^ 
UC-emulates p. In particular, if p UC-realizes an ideal functionality Q then so 
does p*l$. 

A first, immediate corollary of the general theorem states that if protocol tt 
UC-realizes an ideal functionality T , and n uses as subroutine protocol ideaLjf, 
the ideal protocol for T, then the composed protocol UC-emulates pQ 

Another corollary states that if 7r UC-realizes an ideal functionality Q, then so 
does p n ^. 

Remark: On the Universality of Universal Composition. Many different 
ways of “composing together” protocols into larger systems are considered in the 
literature. Examples include sequential, parallel, and concurrent composition, of 
varying number of protocol instances, where the composed instances are run 
either by the same set of parties or by different sets of parties, use either the 
same program or different programs, and have either the same input or different 
inputs. A more detailed discussion appears in jCANOfij . 

We observe that all of these composition methods can be captured as special 
cases of universal composition. That is, any such method for composing together 
protocol instances can be captured by an appropriate “calling protocol” p that 
uses the appropriate number of protocol instances as subroutines, provides them 
with appropriately chosen inputs, and arranges for the appropriate synchroniza- 
tion in message delivery among the various subroutine instances. Consequently, 
it is guaranteed that a protocol that UC-realizes an ideal functionality T con- 
tinues to UC-realize T even when composed with other protocols using any of 
the composition operations considered in the literature. 


2.2 Generalized UC Security 

In the UC framework the UC theorem holds only for protocols which are subrou- 
tine respecting. This simplifies the model and the analysis of protocols within it, 
but it does not allow to guarantee security in interesting cases where the same 
computational entity is used as a subroutine within multiple protocol instances. 

1 We say that an instance of protocol p uses an instance of protocol 0 as a subroutine 
if each party in the instance of </> is a subroutine of some party of the instances of p. 
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To get around this limitation, the generalized UC (GUC) framework |cdpw()7| 
modifies the model of protocol execution by allowing the environment to create 
and interact with other entities, in addition to the adversary and the parties of 
a single instance of the analyzed protocol, 7r. These additional entities may in 
turn provide inputs to and get outputs from participants in 7 r. Say that protocol 
7r GUC-emulates protocol if 7r UC-emulates 0 with the modified protocol 
execution model. Now it can be seen that, within the GUC framework, the UC 
theorem holds even with respect to protocols that are not subroutine respecting: 


Theorem (generalized universal composition) : Let p, (f), 7r be protocols such 
that p uses (j> as subroutine and n GUC-emulates <f>. Then protocol p n ^ UC- 
emulates p. In particular, if p GUC-realizes an ideal functionality Q then so 
does p*l$. 

Two results surveyed here use this generalized model, for different purposes. One 
is the modeling of the augmented CRS model in jCDPWU7j . with the purpose of 
modeling set-up that’s available to more than one protocol instance. The other 
is the modeling of adversarially controlled reference strings in |cps()7| . 

3 Prologue: Impossibility of UC Commitment 

We recall some basic results regarding realizability of functionalities in the UC 
framework. These results motivate and shape the search for better set-up as- 
sumptions. 

In a nutshell, the natural formulations of Commitment, Zero-Knowledge, Coin 
Tossing, or Oblivious Transfer as ideal functionalities within the UC framework 
turn out to be “complete” for UC realizability. That is, UC-realizing any one of 
these functionalities is necessary and sufficient for obtaining general realizability 
results for practically any ideal functionality. 

In other words, there exist ideal functionalities, T c OM , -T ZK , ^ot, that 

naturally capture the security requirements from the corresponding primitives, 
and such that it is possible to UC-realize any one of these ideal functionalities 
by protocols that make use of any one of these ideal functionalities as a sub- 
routine (see m\ for more details). Furthermore, there exist constructions for 
UC-realizing any “well-formed” ideal functionality via protocols that use, say, 
■F ZK as subroutine (see e.g. [CIT,OSl)2j h 

Furthermore, it is impossible to UC-realize any one of these functionalities 
via two-party plain protocols. 

Here we briefly recall the impossibility result for UC-realizing the ideal com- 
mitment functionality, J~co\\ ■ Impossibility for the other primitives follow similar 
lines. First, however, let us recall the formulation of T c om- 

The Ideal Commitment Functionality. The ideal commitment function- 
ality, JT com , formalizes the “sealed envelope” intuition in a straightforward way. 
That is, when receiving from the committer C an input requesting to commit 
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to value a; to a receiver R, R (xm records ( x , R) and notifies R and the adversary 
that C has committed to some value. (Notifying the adversary means that the 
fact that a commitment took place need not be hidden.) The opening phase is 
initiated by the committer inputting a request to open the recorded value. In 
response, R cox outputs ir to R and the adversary. (Giving x to the adversary 
means that the opened value can be publicly available) . 

In order to correctly handle adaptive corruption of the committer during the 
course of the execution, Fcou responds to a request by the adversary to corrupt 
C by first outputting a corruption output to C, and then revealing the recorded 
value x to the adversary. In addition, if the Receipt value was not yet delivered 
to R , then R cxm allows the adversary to modify the committed value. This last 
stipulation captures the fact that the committed value is fixed only at the end 
of the commit phase, thus if the committer is corrupted during that phase then 
the adversary might still be able to modify the committed value. (Corruption of 
the receiver does not require any move). 

J^COM is described in Figure [0 For brevity, we use the following terminology: 
The instruction “send a delayed output x to party P” should be interpreted as 
“send (a;, P) to the adversary; when receiving ok from the adversary, output x 
to P.” 


Functionality Pcom 

1. Upon receiving an input (Commit, a:) from party C, record (C,R, x) 
and generate a delayed output (Receipt) to R. Ignore any subsequent 
(Commit...) inputs. 

2. Upon receiving an input (Open) from C. do: If there is a recorded value 
x then generate a delayed output (Open, x) to R. Otherwise, do nothing. 

3. Upon receiving a message (Corrupt, C) from the adversary, output a 
Corrupted value to C, and send x to the adversary. Furthermore, if the 
adversary now provides a value x' , and the (Receipt) output was not 
yet written on P’s tape, then change the recorded value to x' . 


Fig. 1. The Ideal Commitment functionality, Pcom 


Impossibility of Realizing T (xm in the Plain Model. Roughly speaking, the 
requirements from a protocol that UC-realizes P C om boil down to the following 
two requirements from the ideal-process adversary (simulator) S. (a). When the 
committer is corrupted (i.e., controlled by the adversary), S must be able to 
“extract” the committed value from the commitment. That is, S has to come up 
with a value x such that the committer will almost never be able to successfully 
decommit to any x' ^ x. This is so since in the ideal process <S has to explicitly 
provide -F CD m with a committed value, (b). When the receiver is uncorrupted, S 
has to be able to generate a “simulated commitment” c that looks like a real 
commitment and yet can be “opened” to any value, to be determined at the 
time of opening. This is so since S has to provide adversary A and environment 
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Z with the simulated commitment c before the value committed to is known. 
All this needs to be done without rewinding the environment Z. 

Intuitively, these requirements look impossible to meet: A simulator that has 
the above abilities can be used by a dishonest receiver to “extract” the com- 
mitted value from an honest committer. This intuition can indeed be formalized 
to show that in the plain model it is impossible to UC-realize T C ow by a two- 
party protocol. Essentially, the proof proceeds as follows. Let n be a protocol 
that UC-realizes .F C om- Consider an execution of tt by an adversarially controlled 
committer C and an honest receiver R , and assume that the adversary merely 
sends messages that are generated by the environment, and delivers to the en- 
vironment any message received from R. The environment, Zq. secretly picks 
a random bit b at the beginning and generates the messages for C by running 
the protocol of the honest committer for b and R’s answers. Once Zc received 
a “receipt” output from R, it starts running the honest opening protocol in the 
name of C. Finally, Zc outputs 1 iff the b' that R outputs equals the secret bit 
b. We know that the in an execution of n with honest receiver and committer, 
in the opening stage the receiver always outputs the bit committed to by the 
committer. However, since 7r UC-realizes J~oou , there should exist an ideal-model 
adversary S that interacts with J- CO m and generates a view for Zc that is indis- 
tinguishable from a real execution with n. In particular, it must also be the case 
that b = b' almost always even in the ideal process. For this to hold, it must be 
that S must have given to R< : ow the correct bit b at the commitment stage. Now, 
given S , we can construct another environment, Zr, and a corrupted receiver 
Ar, such that Zr successfully distinguishes between an execution of n and an 
interaction with T c 0M and any adversary Sr. Zr and Ar proceed as follows: 
Zr chooses a random bit b and hands b as input to the honest committer C. It 
then waits to receive a bit b' from Ar (which controls the receiver). Zr outputs 
1 iff b = b'. Ar proceeds as follows: Recall that <S can “extract” the committed 
bit b via simple interaction with the committers messages, without rewinding 
or any additional information. Therefore, Ar can simply run S and guess b al- 
most always. In contrast, when Zr interacts with T c 0M , the adversary’s view is 
independent of b, and thus b = b' with probability exactly one half. 

4 The Common Reference String Model 

The common reference string model, first proposed in [BFMiSbj and used exten- 
sively since, assumes that the parties have access to a common string that is 
guaranteed to come from a pre-specified distribution. Furthermore, it is guaran- 
teed that the string was chosen in an “opaque” way, namely that no information 
related to the process of choosing this string is available to any party. A very 
natural distribution for the common string, advocated in jBFMiSiSj . is the uniform 
distribution over the strings of some length. Still, it is often useful to consider 
reference strings that are taken from other distributions. 

In the Zero-Knowledge context of jBFMbbj . the fact that the reference string 
comes from an external source that is unrelated to the actual computation is 
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captured by allowing the simulator to choose the reference string as it wishes — 
as long as the adversary cannot distinguish this “simulated string” from a “real 
string” taken from the prescribed distribution. Indeed, it is this extra freedom 
given to the simulator which makes this model powerful. 

Within the present framework, the CRS model can be captured in a natural 
way by modeling the reference string as coming from an appropriate ideal func- 
tionality. More specifically, we formulate functionality Peas, presented in Figure 
El below. The functionality is parameterized by a distribution D and a set V of 
recipients of the reference string. Upon invocation, it first draws a value r from 
distribution D. Next, on input from a party P £ V, P® iS returns r to P. 

Letting the adversary know r models the fact that r is public, and cannot be 
assumed secret. Prohibiting parties not in V from obtaining r directly from P C ns 
models the fact that r is treated as local to a specific protocol instance, and is 
intended to be used only within this protocol instance. (This point is elaborated 
on in Section 0) Other protocol instances should use different “draws” from 
distribution D. This restriction on the use of the reference string limits the 
applicability of the CRS model: To realize P C us in reality, the participants of 
each protocol execution need to somehow “get together” and obtain a reference 
string that they all trust to be taken from the specified distribution. The next 
sections discuss set-up assumptions that are aimed at mitigating this limitations 
in a number of different ways. 


Functionality Pqrs 

1. When receiving input (CRS, sid) from party P, first verify that P € 
V; else ignore the input. Next, if there is no value r recorded then 
choose and record a value r <— D. Finally, send a public delayed output 
(CRS ,sid : r ) to P. 


Fig. 2. The Common Reference String functionality 


From JF crs to T con . Several protocols that UC-realize P CO m given access to 
P CRS are known. Here we briefly sketch the protocol of jCFUlj . What “saves” the 
simulator in the CRS model from the above impossibility result is the following 
observation, which parallels the original CRS model of [BFMbdj : When interact- 
ing with a commitment protocol that used .F CRS , the environment learns about 
the value of the reference string only from the adversary. This means that, the 
ideal process for P c(m , the simulator can choose the reference string on its own. 
Consequently, the simulator can know some “trapdoor information” associated 
with the reference string, and even change its distribution slightly. 

The [cfD I j commitment protocol uses this observation as follows. The ref- 
erence string will consist of a public key e of an encryption scheme and a 
claw-free pair of permutations /o,/i with trapdoor. (That is, given only the 
description /o,/i it is infeasible to find xq. x\ such that fo(xo) = but 

given a trapdoor t one can efficiently invert, say, /q.) Now, to commit to bit 
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6, the committer chooses a random value r and sends the commitment message 
(fb(r), E e (ro, id),E e (n,id )) where rt, = r, ri_f, = 0, and id is an identifier for the 
session. (Typically, id would include the identities of the committer and receiver, 
plus additional commitment-specific information.) To open to bit b, the commit- 
ter sends r and the randomness used for encrypting r; this is the first or second 
encryption, depending on 60 Now, in a standard execution of the protocol the 
commitment is committing (due to the claw-freeness of /o, /i), and hiding (due 
to the security of the encryption scheme). However, in a simulated execution 
the simulator can know both t and the decryption key associated with e. It can 
thus easily generate commitment strings that can be opened both ways, and at 
the same time it can easily extract the hidden value committed in an honestly 
generated commitment. When the encryption scheme is secure against chosen 
ciphertext attacks, it can be shown that the simulator can successfully extract 
the hidden value even when the commitment string is chosen adversarially. This 
ideas are at the basis of the proof of security of the protocol. 

We note that the above protocol can generate multiple commitments using 
a single reference string. In other words, it actually realizes a “multi-session 
version” of Ecom, where a single instance allows multiple parties can commit and 
open multiple commitments. (This multi-session version is called E M com in the 
literature.) This somewhat alleviates the need to agree on a different reference 
string for each protocol instance, since a single instance of the above protocol 
suffices for generating commitments for an entire system. However, the solution 
is far from satisfying: First, strictly speaking, all protocol instances that use 
the same commitment protocol now have some joint state and can no longer 
be analyzed separately and be composed later. Second, no security guarantee 
is given with respect to other protocols that use the same reference string in 
other ways than via that global instance of the commitment protocol. The first 
issue is handled by the Universal Composition with Joint State (JUC) theorem 
of jCR.Ddj . The second issue is more subtle and is addressed in Section 0 

5 The Key Set-Up Model 

The CRS set-up assumption has the advantage that it only requires knowledge 
of a single short string. In particular, it does not require parties to identify them- 
selves or to go through a registration process before participating in a protocol. 
Thus, in settings where it is reasonable to assume existence of trusted reference 
string, this assumption is very attractive. However, when the reference string is 
being generated by a computational entity that may be corrupted or subverted, 
the CRS modeling is somewhat unsatisfactory, in that it puts complete trust 
in a single entity. In fact, this entity, if subverted, can completely undermine 
the security of the protocol by choosing the reference string from a different 
distribution, or alternatively by leaking to some parties some secret information 
related to the string. Furthermore, it can do so without being detected. 

2 The actual protocol is slightly different, to account for adaptive corruptions. 
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The key set-up functionality, P KS , formulated in [BCNP()4j and presented in 
Figure 01 is written in a way that can be realized by real-world mechanisms 
that do not require all participants to put full trust in a single string. At the 
same time, it can be realized even in the CRS model itself. We first describe the 
functionality and its use, and then discuss how it can be realized. 

■F KS is parameterized by a set V of parties and a deterministic function 
/ : {0, 1}* — > {0, 1}*, that represents a method for computing a public key 
given a secret (and supposedly random) key. The functionality allows parties to 
register their identities together with an associated “public key” . However, JT KS 
provides only relatively weak guarantees regarding this public key, giving the 
adversary considerable freedom in determining this key. (This freedom is what 
makes P KS so relaxed.) Specifically, the “public key” to be associated with a 
party upon registration is determined as follows. The functionality keeps a set R 
of “good public keys” . Upon receiving a registration request from party PsP, 
the functionality first notifies the adversary that a request was made and gives 
the adversary the option to set the registered key to some key p that is already 
in R. If the adversary declines to set the registered key, then the functionality 
determines the key on its own, by choosing a random secret r from a given do- 
main (say, {0, l} fc for a security parameter k) and letting p = /(r). Once the 
registered key p is chosen, the functionality records (P,p) and returns p to P 
and to the adversary. Finally, if p was chosen by the functionality itself then p 
is added to R. If the registering party is corrupted, then the adversary can also 
specify, if it chooses, an arbitrary “secret key” r. In this case, P is registered 
with the value f(r) (but r is not added to R). 

A retrieval request, made by a party in V, for the public key of party P is 
answered with either an error message T or one of the registered public keys of 
P, where the adversary chooses which registered public key, if any, is returned. 
(That is, the adversary can prevent a party from retrieving any of the registered 
keys of another party). 

Notice that the uncorrupted parties do not obtain any secret keys associated 
with their public keys, whereas the corrupted parties may know the secret keys 
of their public keys. Furthermore, P KS gives the adversary a fair amount of 
freedom in choosing the registered keys. It can set the keys associated with 
corrupted parties to be any arbitrary value (as long as the functionality received 
the corresponding private key). The adversary can also cause the keys of both 
corrupted and uncorrupted parties to be identical to the keys of other (either 
corrupted or uncorrupted) parties. Still, JF KS guarantees two basic properties: (a) 
the public keys of good parties are “safe” (in the sense that their secret keys were 
chosen at random and kept secret from the adversary), and (b) the public keys 
of the corrupted parties are “well-formed”, in the sense that the functionality 
received the corresponding private keys. 

In |bcnp()4| it is shown how to UC-realize P M cow given access to JT KS . A non- 
interactive protocol for realizing T /K given access to ks is also shown. The protocol 
for realizing .Fmcom is essentially identical to the |cf 01| protocol described above; 
the only difference is that the claw- free pair /o, /i is now the public key of the 
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Functionality pjjg 

P RS proceeds as follows, given set V of identities, function / and security 
parameter k. At the first activation a set R of strings is initialized to be 
empty. 

Registration: When receiving input (Register, sid ) from a party P, ver- 
ify that that P € V', else ignore the input. Next, send (Register, sid, P) 
to the adversary, and receive a value p from the adversary. Then, if 
p' € R then let p <— p . Else, choose r <— {0, l} fc , let p <— /(r), and 
add p to R. Finally, record (P, p) and return ( sid,p ) to P and to the 
adversary. 

Registration by a corrupted party: When receiving input 

(Register, sid, r) from a corrupted party P £ V, record (P, /(r)). In 
this case, f(r) is not added to R. 

Retrieval: When receiving a message (Retrieve, sid, P) from party P' 6 
V, send (Retrieve, sid, P, P ') to the adversary and obtain a value p in 
return. If ( P,p ) is recorded then return (sid, P, p) to P' . Else, return 
(sid, P, _L) to P' . 


Fig. 3. The Key Registration functionality 


receiver, whereas the encryption key e is now the public key of the committer. 
Intuitively, this works since the committer is only concerned that the secret 
decryption key associated with e remains unknown, whereas the receiver is only 
concerned that the trapdoor t of /o, fi remains unknown. We note, however, 
that this protocol remains secure only for non-adaptive party corruption. 

Realizing P KS . P KS can be realized in a number of different ways. First, we 
observe that (Fks^ can be realized in the Pens 3 -hybrid model, where D = Zfy is 
the distribution of /(r) for r that is uniform in {0, l} fc . The protocol is straight- 
forward: On input either (Register, sid) or (Retrieve, sid, P), party P sends 
(CRS, sid ) to P CRS and returns the obtained value. 

Realizing P KS Given a Distributed Registration Service. Consider a set- 
ting where the parties have access to registration servers where parties can reg- 
ister and obtain public keys that were chosen at random according to a given 
distribution (i.e., the public key is f(r) for an r A {0, l} fc ). Alternatively, parties 
can choose their keys themselves and provide them to the server. Note that here 
each party needs to put full trust (to keep its key secret) only in the server it 
registers with. The trust put in other servers is much lower - it only needs to be 
trusted that the public keys obtained from these servers are “well formed” . 

Realizing P KS Using Traditional Proofs of Knowledge. Finally, it is pos- 
sible to realize pl RK (and thus also p/ s ) via traditional (non-UC) proofs of 
knowledge of the private key, under the assumption that the proofs of knowl- 
edge occur when there is no related network activity. (Intuitively, in this case it is 
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ok to “rewind” the environment, as necessary to prove security of the traditional 
proof of knowledge. 

6 Adversarially Controlled Set-Up 

The common reference string model provides the guarantee that the reference 
string is drawn from a pre-specified distribution. This is a very convenient ab- 
straction for the purpose of designing protocols. Indeed, all existing protocols 
use this guarantee in a crucial sense: Security analyses quickly fall apart as soon 
as distribution of the reference string is changed even slightly. 

This property is quite limiting. In particular, it seems to rule out “physical 
implementations” where the reference string is taken to be the result of joint 
measurement of some physical phenomenon such as astronomic measurements, 
fluctuations of the stock market, or even network delays across the Internet. 
Indeed, while it is reasonable to believe that such phenomena are largely unpre- 
dictable and uncontrollable, namely they have “high entropy” , it is a stretch of 
the imagination to believe that they are taken from a distribution that is known 
to and useful for the protocol designer. 

Can composable security be obtained if we only have an imperfect reference 
strings, or alternatively a reference string that are adversarially controlled to 
some extent? More specifically, are there protocols that UC-realize, say, T c om in 
such a setting? 

A first indication that this might not be an easy task is the result of 
Dodis et al. [dops()4| that demonstrates the impossibility of NIZK in a relaxed 
variant of the CRS model in which the distribution of the reference string can be 
arbitrary subject to having some minimal min-entropy. However, this result does 
not rule rule out composable protocols; more importantly, it does not consider 
the case where the reference string is guaranteed to be taken from an efficiently 
samplable distribution. Indeed, for such distributions deterministic extractors 
are known to exist (under computational assumptions) [TvODj . Thus, one might 
expect it to be possible to “compile” any protocol in the CRS model (or at 
least protocols that can do with a uniformly distributed reference string) into a 
protocol that uses a reference string that is taken from any efficiently samplable 
distribution that has sufficient min-entropy: First have the parties use a deter- 
ministic extractor to transform the reference string into a string that is almost 
uniformly distributed. Next, run the original protocol. Since the extracted string 
is almost uniform, one might expect the original analysis to work in the same way. 

However, deterministic extractability turns out to be insufficient for this pur- 
pose. In fact, it turns out that if one relaxes JT CIIS so as to allow the distribu- 
tion to be adversarially determined, then UC-realizing becomes impossible 
jcps()7j . Impossibility holds even if the chosen distribution is guaranteed to have 
full min-entropy minus a polynomially vanishing fraction, even if the distribution 
is guaranteed to be sampled via an algorithmic process, namely via a sampling 
process that has a relatively succinct description, and even when this process is 
guaranteed to be computationally efficient. 
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As a recourse, one may restrict attention to the case where the algorithm for 
sampling the reference string is known to the adversaries involved. (Still, it is of 
course unknown to the protocol.) Here it turns out to be possible to UC-realize 
•^com) as long as the reference string is taken from a distribution that is guar- 
anteed to have a polynomial time sampling algorithm, a short description, and 
super-logarithmic min-entropy. Furthermore, all three conditions are simultane- 
ously necessary, in the sense that impossibility holds as soon as any one of the 
conditions is relaxed [cps()7j . 

Discussion. It may appear over-optimistic to assume that the physical (or 
man-made) phenomena used to generate the reference string are governed by 
distributions where the sampling algorithm is computable in polynomial time. 
Indeed, why should Nature be governed by succinct and efficient algorithms? 
However, beyond the technical fact that these restrictions are necessary, one can 
view our analysis as a proof that any successful attack against the proposed 
protocols demonstrates that either the underlying hardness assumptions are vi- 
olated, or else that the process for choosing the reference string is not efficiently 
computable, or has long description. This might be an interesting revelation in 
itself. Alternatively, the positive result may be interpreted as addressing situa- 
tions where the process of choosing the reference string is influenced by an actual 
attacker. Here the guarantee that the distribution has some min-entropy repre- 
sents the fact that the attacker’s influence on the sampling process is limited. 

The pcps()7] Results in More Detail. Three relaxations of Feds’ are formu- 
lated. The first relaxation, called .Fbbsun, proceeds as follows. (Here sun stands 
for “sunspots” , which is the term used in the first works that propose the CRS 
model when referring to astronomic observations |BFMbdl iFddj and bb stands for 
“black-box”). Instead of treating the distribution D as a fixed, public parame- 
ter, let the environment determine the distribution by providing a description 
of a sampling algorithm for D. Then, JF BRS ln chooses a sufficiently long random 
string p and computes the reference string r = D(p). In addition, J^bsun lets 
the adversary (and simulator) obtain additional independent samples from the 
distribution “on the side”. These samples are not seen by the environment or 
the parties running the protocol. 

Three parameters of .Fbbsun turn out to be salient. First is the min-entropy, 
or “amount of randomness” of the reference string (measured over the random 
choices of both the environment and the sunspot functionality) . Next is the 
runtime, or computational complexity of the sampling algorithm D. Last is 
the description-size of D (namely, the number of bits in its representation as 
a string); this quantity essentially measures the amount of randomness in the 
reference string that comes from the random choices of the environment. All 
quantities are measured as a function of the length n of the reference string; 
that is, we treat n as the security parameter. 

Theorem: There exist no two-party protocols that UC-realize F C om when given 
access to of ^ r HBSLtN . This holds even if the distribution of the reference string 
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is guaranteed to have min-entropy greater than n — n c , and even if both the 
description size and the computational complexity of the provided sampling 
algorithm are guaranteed to be at most n € , for any e > 0. 

Next a more restricted setting is considered, where the adversary has access to 
the “code” , or description of the sampling algorithm D. This is modeled by hav- 
ing the set-up functionality explicitly send the description of D to the adversary. 
(Note that this relaxation is meaningful only for sampling algorithms that can 
be described in poly(n) bits, else the adversary cannot read the description.) Call 
this functionality .Fqbsun (for “gray box”). The third variant, called F SI ;n, gives 
to the adversary also the local random choices used to generate the reference 
string. It turns out that this variant provides an incomparable setup guarantee 
to that of .Fqbsun- (This is so since the setup functionality is invoked directly by 
the environment. Consequently, the functionality exists both in the real-life and 
in the ideal models). 

Theorem: There exist no two-party protocols that UC-realize F C om when given 
access to either .Fgbsun or F SU n- This holds even if either one of the following 
holds 

1. The computational complexity of the sampling algorithm can be super- 
polynomial in n, as long as the distribution of the reference string is guar- 
anteed to have min-entropy n — poly log n, and the description size of the 
provided sampling algorithm is guaranteed to be at most poly log n (assum- 
ing one-way functions with sub-exponential hardness). 

2. The description size of the sampling algorithm is at least /z(n) — log n, as long 
as the distribution of the reference string is guaranteed to have min-entropy 
n(n) = n and the computational complexity is guaranteed to be at most 
0(n). 

3. The distribution of the reference string has min-entropy at most logn, as 
long as the description length is 0(1) and the computational complexity is 
0(n). 

On the other hand, we have: 

Theorem: Assume there exist collision-resistant hash functions, dense crypto- 
systems and one-way functions with sub-exponential hardness. Then there exists 
a two-party protocol that UC-realizes F MC om , when given access to 0(1) instances 
of either Fqbsun or F SI j N , as long as it is guaranteed that the min-entropy of the 
reference string is at least /x(n) = poly logn the computational complexity of 
the provided sampling algorithm is at most poly(n) and its description size is at 
most n(n) — poly log n. 

Furthermore, the protocol from Theorem 3 withstands even adaptive party cor- 
ruptions, with no data erasure, whereas Theorems 1 and 2 apply even to protocols 
that only withstand static corruptions. 

In other words, under computational assumptions, Theorem 2 and 3 provide 
an essentially tight characterization of the feasibility of UC protocols, in terms 
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of the min-entropy, computational complexity and description length of the ref- 
erence string. Informally, 

UC-security of non-trivial tasks is possible if and only if the reference 
string has min-entropy at least p(n) = poly log n, and is generated by a 
computationally- efficient sampling algorithm with description length at 
most p(n) — poly log n. 

Techniques for the Impossibility Results. The impossibility results com- 
bine the |CF()1[ proof of impossibility of UC-realizing J-®om in the plain model 
with techniques from [OKdDj . Recall that the model does not let the environ- 
ment see the reference string directly, which in principle allows the simulator to 
present the environment with any string of its choosing and claim that this is the 
reference string chosen in the execution. To mitigate this freedom, the environ- 
ment chooses a special distribution D that makes sure that the string presented 
by the simulator as the actual reference string can only be one of the strings that 
the simulator received as “extra samples” from the set-up functionality. Since 
the simulator can only ask for a polynomial number of such samples, it can be 
seen that a dishonest verifier can still use the simulator to extract the committed 
bit from an honest committer, much as in the proof of jCFOlj . and with only 
polynomial degradation in success probability. All impossibility results use this 
idea, with different techniques or choosing the distribution D so as to obtain the 
desired effect. 

Protocol Techniques. To explain the main idea behind the protocol, it is 
useful to first sketch a simpler protocol that is only secure with respect to static 
corruptions. Also, the protocol aims to realize the zero-knowledge functionality, 
P ZK , rather than .Fmcom- The idea is to use a variation on Barak’s protocol EEl: 
Let L be an NP language and assume that a prover P wishes to prove to a 
verifier V that x £ L, having access to a reference string r that is taken from 
an unknown distribution with min-entropy at least p = n e . Then, P and V will 
engage in a witness-indistinguishable proof that “either x G L or the reference 
string r has a description of size p/2”. (As in Barak’s protocol, the description 
size is measured in terms of the Kolmogorov complexity, namely existence of a 
Turing machine M with description size p/2 that outputs r on empty input. 
Also, in order to guarantee that the protocol is simulatable in polynomial-time 
M should be polynomial time.) Soundness holds because in a real execution of 
the protocol, r is taken from a distribution with min-entropy at least p, so the 
second part of the “or” statement is false with high probability. To demonstrate 
zero- knowledge, the simulator generates a simulated reference string f by running 
the sampling algorithm D for the distribution on a pseudorandom random-input. 
That is, the simulator chooses a random string p of length, say, p/2 — \D\ (where 
\D\ denotes the description size of D) and computes f = D(G(p)), where G is 
some length-tripling pseudo-random generator. Now, r indeed has description of 
size p/2 (namely, p plus \D\ plus the constant-size description of G): furthermore, 
the simulator knows this description. Also, since both D and the environment 
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are polynomial time, the simulated string r is indistinguishable from the real 
string r. 

The above protocol allows for straight-line simulation. It is not yet straight- 
line extractable, but it can be modified to be so using the techniques of jRi.Olj . 
Still, it is only secure against static corruptions of parties. In order to come up 
with a protocol that withstands adaptive corruptions a somewhat different tech- 
nique is used, which combines the above idea with techniques from jCDPwO ?;. 
First, they move to realizing tFucou • They then proceed in several steps: The first 
step is to construct a commitment scheme that is equivocal and adaptively secure. 
This is done using Feige and Shamir’s technique jFSbbj for constructing equivocal 
commitments from Zero-Knowledge protocols such as the one described above. 
Next, the constructed equivocal commitment scheme is used in a special type of 
a coin-tossing protocol, and use the obtained coin tosses as a reference string for 
a standard UC commitment protocol such as jCFOlj . 

The protocol allows two parties to perform multiple commitment and decom- 
mitment operations between them, using only two reference strings — one for 
the commitments by each party. This means that in a multi-party setting it 
is possible to realize any ideal functionality using one reference string for each 
(ordered) pair of parties, regardless of the number of commitments and decom- 
mitment performed. Furthermore, each reference string needs to be trusted only 
by the two parties who use it. 

7 Globally Available Set-Up 

All the set-up models considered so far model the set-up information as infor- 
mation that’s available only to the participants of a single protocol instance. 
This means that, in order to implement such a model, one has to generate a 
fresh reference string (or fresh public keys) for each instance of a protocol that 
uses it. Furthermore, this has to be done in a way that makes the reference 
string available only to the protocol participants. While such implementations 
are possible (say, via joint measurements of physical phenomena at the onset of 
an execution), this is a severe limitation. In particular, this modeling stands in 
contrast with the prevalent intuitive perception of the reference string (or public 
key infrastructure ) as a “global” construct that is chosen in advance and made 
available to all throughout the lifetime of the system. 

Furthermore, this limitation turns out to be not only “academic”. For in- 
stance, all existing protocols designed in the CRS model turn out to be insecure 
in a setting where the reference string can be used by multiple, arbitrary pro- 
tocols. In fact, as shown in jcnpwllTj . this limitation is inherent: No set-up 
assumption that only gives out public set-up information can suffice for realiz- 
ing, say, ^com, if the same set-up information can be used by all protocols in the 
system. 

To exemplify this point, consider the “non-transferability” (or, “deniability” ) 
concern, namely allowing party A to interact with party B in a way that prevents 
B from later “convincing” a third party, C, that the interaction took place. 
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Indeed, if A and B interact via an idealized “trusted party” that communicates 
only with A and B then deniability is guaranteed in a perfect, idealized way. 
Thus, intuitively, if A and B interact via a protocol that emulates the trusted 
party, then deniability should hold just the same. When the protocol in question 
uses no set-up, or alternatively set-up that’s local to each protocol instance, this 
intuition works, in the sense that UC-realizing such a trusted party automatically 
implies non-transferability. However, when a global set-up is used, this is no 
longer the case: There are protocols that emulate such a trusted party but do 
not guarantee non-transferability. 

For instance, consider the case of Zero-Knowledge protocols, namely protocol 
that emulate the trusted party for the “Zero-Knowledge functionality”: Zero- 
Knowledge protocols in the plain model are inherently deniable, but all existing 
Zero-Knowledge protocols in the CRS model are completely undeniable whenever 
the reference string is public knowledge (see jPOdj b 

Non-transferability is not the only concern that remains un-captured in the 
present formulation of security in the CRS model. For instance, the protocol 
in jCFl) I j for realizing the single-instance commitment functionality becomes 
malleable as soon as two instances use the same reference string; indeed, to 
avoid this weakness a more involved protocol was developed, where multiple 
commitments can explicitly use the same reference string in a specific way. Other 
demonstrations of this point are given in jYYZ()7Aj . 

The Global CRS Model. Taking a second look at the way we modeled set-up 
so far, the main reason for the inability to capture such global set-up is the fact 
that so far the set-up was modeled as an ideal functionality that interacts only 
with the parties of a given protocol execution. In particular, the set-up does 
not explicitly take part in the ideal process. A natural way to capture global 
set-up is thus to model the set-up as an ideal functionality that interacts not 
only with the parties running the protocol, but also with other parties (or, in 
other words, with the external environment). This in particular means that the 
set-up functionality exists not only as part of the protocol execution, but also in 
the ideal process, where the protocol is replaced by the trusted party. 

More precisely, modify the CRS functionality, ,F CRS , as follows: Instead of 
giving the reference string only to the adversary and the parties running the 
actual protocol instance, the new “global CRS” functionality, .F CCRS , will give the 
reference string to all parties and in particular to the environment. (Technically, 
in order to model J^jcrs one has to use the generalized UC security notion, as 
sketched in Section 12.21 Indeed, it is for this reason that the generalized model 
was first formulated). 

Technically, the effect of this modeling is that now the simulator (namely, the 
adversary in the ideal process) cannot choose the reference string or know related 
trapdoor information. In a way, proofs of security in the new modeling, even 
with set-up, are reminiscent of the proofs of security without set-up, in the sense 
that the only freedom enjoyed by the simulator is to control the local random 
choices of the uncorrupted parties. Indeed, as mentioned above, in |cdpw()7| 
the argument of jCFUlj is extended to show that no two-party protocol can 
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UC-realize JT C0M . The proof extends to rule out any set-up functionality that 
makes all of its inputs and outputs available to the environment. 

New Set-Up Assumptions and Constructions. It turns out, however, that 
it is possible to come up with global set-up functionalities that lend to reasonable 
implementation and are still sufficient for UC-realizing T CO m ■ We briefly sketch 
three such functionalities. 

The first functionality is reminiscent of the key set-up functionality from Sec- 
tion 0 T ks, with the exception that here the registration is done once per party 
throughout the lifetime of the system, and the public key can be used in all 
instances of all the protocols that the party might run. In particular, public keys 
are directly accessible by the environment, even in the ideal process. It turns out 
that one of the fBCNP()4j protocols for UC-realizing T c om given JT KS continues 
to work even when JT KS is replaced by the global variant, JT CKS , as long as party 
corruptions are non- adaptive. However, when party corruptions can be adap- 
tive, and the adversary can observe the past internal data of corrupted parties, 
this protocol becomes insecure. To address this concern, a more sophisticated 
protocol is constructed in jCDPW()7j . 

A second functionality, called .F ACRS for “augmented CRS (ACRS)”, is remi- 
niscent of the CRS set-up, but is somewhat augmented so as to circumvent the 
impossibility result for plain CRS. That is, as in the case of -F GCRS , all parties 
and the environment have access to a short reference string that is taken from 
a pre-determined distribution. In addition, the ACRS set-up allows corrupted 
parties to obtain “personalized” secret keys that are derived from the reference 
string, their public identities, and some “global secret” that’s related to the 
public string and remains unknown. It is stressed that in the formal model only 
corrupted parties may obtain their secret keys. This effect of this modeling is 
that protocol may not include instructions that require knowledge of the secret 
keys, and yet corrupted parties are assumed to have access to their secret keys. 
A protocol for UC-realizing .Fcom (i n fact, .Fmcom) given .Facrs is constructed in 
jcppw()7j . The main additional technique on top of the protocol using JT GKS f s a 
new identity-based trapdoor commitment (IBTC) protocol. (IBTC protocols in 
the Random Oracle model appear in jzssOdl lAM()4j b 

“Real world implementations” of JU:;ks and .Facrs can involve a trusted entity 
(say, a “post office”) that only publicizes the public value. The trusted entity 
will also agree to provide the secret keys to the corresponding parties upon 
request, with the understanding that once a party gets hold of its key then it 
alone is responsible to safeguard it and use it appropriately (much as in the case 
of standard PKI). In light of the impossibility of a completely non-interactive 
set-up (CRS), this seems to be a minimal “interactiveness” requirement from 
the trusted entity. 

Another global set-up assumption, formulated in Hofheinz et al. jHMuOtij . 
provides each party p with a public “verification key” V p (chosen by the func- 
tionality). Next, the functionality provides p with unforgeable signatures on mes- 
sages of p’s choice, where the signatures can be publicly verified using V p . It is 
stressed that the signing keys are not made available to the parties, even to 
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corrupted ones. A protocol for realizing F C om given access to this functionality, 
for non-adaptive corruptions, is given in [HMUOtij . This functionality is much 
more interactive than .Facrs or .F GKS . Still, as suggested in jHMuOdj . in reality it 
can be implemented by a tamper-proof signing device such as a smart-card. 

8 A Timing Assumption 

Last but not least, we consider an alternative approach for making assumptions 
on the the system in order to guarantee composable security. Specifically, rather 
than assuming that parties have access to some trusted information, some mini- 
mal assumptions are made regarding the synchrony of the system at some point 
in its execution. More precisely, it is assumed that all messages sent are even- 
tually delivered unmodified within some time bound, and in addition there is a 
bound on the amount of relative “drift” between local clocks of parties in the 
system. In fLPT()4j it is shown how to UC-realize T' C i, s and T" CO m in such a setting. 

The fact that a timing assumption suffices for UC-realizing, say, T' C | jS , is not 
surprising in of itself: Assume for instance that the network is completely syn- 
chronous, and furthermore no party (not even corrupted ones) receives messages 
sent in round i before the last chance to send out its messages for round i. Then 
a simple, unconditionally secure two-party protocol for UC-realizing T' C rs would 
be to simply have each of the two parties send a random string of the appropriate 
length at a certain round, and then let the reference string be the bitwise xor 
of the two strings. In |t,pt( ) 4j it is shown, via a sophisticated protocol and un- 
der standard hardness assumptions, how to obtain a similar effect while making 
(much) weaker synchronization assumptions on the system. 

It is interesting to note that the timing assumptions have to hold only during 
the execution of the protocol for UC-realizing J^rs- Once the reference string is 
fixed, no timing assumptions are needed. Also, since there is no trusted piece of 
information to be passed around, this approach bypasses the “transferability” 
issues of the other set-up assumptions and provides complete deniability. 

9 Realizing Authenticated Communication 

The treatment of Sections [3 through 0 concentrates on the case of ideally au- 
thenticated networks, where messages are not modified en route and arrive with 
an authentic sender identity. More precisely, the parties are assumed to have 
access to multiple copies of an ideal functionality, .F U : TH , that, roughly, takes 
input ( sid , B, m) from party A, and provides output (sid. A, m) to B, where sid 
is a session identifier. 

It is interesting to note that the above ideal authentication guarantee implic- 
itly carries with it a non-transferability guarantee: The above ideally authenti- 
cated communication setting does not provide the recipient of a message sent 
by party A with any means to convince a third party that a message was indeed 
sent by A. .F AUTH provides a similar guarantee. This means that communication 
via JT auth is in effect “non-transferable” , or in other words “deniable” . 
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As observed in [c()4j . it is impossible to UC-realize F a , ; th in the “bare” model 
with no set-up assumptions. Still, F a , ; th can be UC-realized, via standard au- 
thentication mechanisms, when given access to an ideal functionality that al- 
lows parties to register public values associated with their identities |CU4j . It is 
stressed that this functionality, .F REG , does not verify knowledge of any secret in- 
formation associated with the registered value; it merely provides a registration 
(or, “bulletin-board”) service. 

However, akin to the formulation of the traditional CRS model, the formula- 
tion of ,F REG in jc()4j is that of a “local” set-up that is available only to the parties 
that run the specific protocol instance. Implementing ,F REG is thus susceptible 
to the same limitations that apply to implementing !F CBS (see Section 01 : Essen- 
tially, a new instance of the registration service is needed for each new protocol 
instance. In particular, similarly to the case of ,F 0RS , when the [C()4j protocol for 
UC-realizing F/uth uses a “global” registration service that’s available to arbi- 
trary protocols, authentication becomes “transferable” . (In fact, a publicly verifi- 
able signature by the sender on the transmitted information becomes available). 

Modeling authenticated communication in the presence of global set-up is an 
interesting challenge. One direction is to model the security guarantees provided 
by standard authentication mechanisms (such as the simple signature-based 
mechanism studied in fc()4| i in the presence of global set-up. These guarantees 
are naturally described by means of an ideal authentication functionality that 
allows for transferability even in ideal process. Another direction is to study pro- 
tocols that UC-realize the original, non-transferable version of F AI ; T h even when 
given only globally available set-up. This is an interesting venue for current and 
future research. 

10 Conclusion and Open Problems 

We have exemplified the need for trusted set-up models in order to obtain com- 
posable security, and have studied a variety of set-up models. These models have 
very different characteristics, both from the point of view of the guarantees pro- 
vided to protocols designed in these models, and from the point of view of the 
requirements from practical implementations of the models. 

While some progress has been made in the past few years towards under- 
standing how to formulate models that allow bypassing the strong impossibility 
results regarding composable security, how to develop protocols in these models, 
and how to implement such models in practice, much remains to be understood. 
Some specific challenges and questions include: 

1. Finding protocols that use current set-up models more efficiently. Finding 
easier and more secure ways to implement existing set-up models in practice. 
Finding new set-up models that allow for more efficient protocols and/or 
easier implementations. 

2. Finding a characterization of the set-up models that allow for UC-realizing, 
say, F CO m (or any other ideal functionality that allows for UC-realizing gen- 
eral ideal functionalities). We’ve seen that set-up functionalities can have 
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very different flavors and characteristics. Are there some salient properties 
that are common to all and are necessary and/or sufficient for UC-realizing 

.^COM? 

3. More specifically, are there global set-up models that allow for adversar- 
ial control over the set-up information akin to .F SUN , and still allow for 
UC-realizing T c om? Are there set-up models that allow for adversarial con- 
trol over the set-up information, and at the same time allow for UC-realizing 
authenticated communication? 

4. Are there general relationships between set-up models that allow for 
UC-realizing authenticated communication and set-up models that allow 
for UC-realizing T (X ml 

5. More generally, how can we better model the information shared between 
protocol instances in arbitrary systems? Is global set-up information the only 
information that can be shared, or are there other ways to share state and 
information? How to capture these? An indication that in some situations 
protocols indeliberately (but inevitably) share more information than just 
the set-up is given in |yyz()7b| . 
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Abstract. We propose a new composition scheme for hash functions. 
It is a variant of the Merkle-Damgard construction with a permutation 
applied right before the processing of the last message block. We ana- 
lyze the security of this scheme using the indifferentiability formalism, 
which was first adopted by Coron et al. to the analysis of hash func- 
tions. And we study the security of simple MAC constructions out of 
this scheme. Finally, we also discuss the random oracle indifferentiability 
of this scheme with a double-block-length compression function or the 
Davies-Meyer compression function composed of a block cipher. 


1 Introduction 

Background. Merkle-Damgard |1 1111 ‘ij is an iterative hash function construction. 
Given a fixed-input-length (FIL) compression function, it combines the output of 
the compression function in a serial fashion to produce a hash function that can 
process strings of arbitrary lengthQ While it is a clean design with proven col- 
lision resistance, it suffers the extension property; one can compute H(Mi\\M 2 ) 
from H(M \ ) even without the knowledge of Mi. 

Suppose that we try to use a Merkle-Damgard (MD) hash function for message 
authentication. There are many proposals for hash-based MACs, but currently 
the most popular hash-based MAC is definitely HMAC m It has a simple 
structure, and also it has rigorous security proofs. But, given a hash function 
H(-), one of the best ways to make a MAC out of H is the prefix construction m 

M k (x) d =H{K\\x). 

Indeed, the efficiency of the above construction would be almost twice than that 
of the HMAC, for short messages, and we know that if H(-) is a random oracle, 
rather than a concrete hash algorithm, then the construction gives a secure 
MAC. Unfortunately, due to the extension property, the prefix construction is 
not secure when the underlying hash function is an MD hash function; given a 

1 Or up to some large number (2 64 in case of SHA-1, for example) depending on the 
padding and other specific details. 
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message x and its MAC Mk(x) = H(K\\x), the attacker can easily forge another 
message x', which has x as its prefix, and compute the MAC Mk(x'). 

The goal of HMAC was to design an efficient MAC with security proofs, out of 
already widely deployed MD hash functions. Therefore the designers of HMAC 
had to ‘fix’ the extension property of the underlying MD hash function, at the 
upper MAC construction level. 

But then we may consider another way, namely, to start freshly with a hash 
function design without such structural flaws like the extension property. Then 
perhaps we may use much simpler hash-based MACs such as the prefix construc- 
tion H(K\\M). Indeed, after Wang’s attacks on many popular hash functions, 
there are renewed interests in the design of hash functions. So this would be a 
good opportunity to consider an alternative to the MD scheme. 

In CRYPTO 2005, Coron et al. introduced new methodology for assessing 
generic, structural properties of hash function constructions m They applied 
the notion of indifferentiability, which was first introduced by Maurer et al. m , 
to the analysis of hash functions. Coron et al. analyzed the structural property 
of hash function constructions by first swapping the underlying compression 
function with a FIL random oracle, then comparing the resulting hash function 
with a true random oracle. If no efficient distinguisher can tell the two objects 
apart, then the construction is considered secure, i.e., it has no structural flaws. 
The notion of indifferentiability is an appropriate framework to express these 
ideas rigorously. In fact, Coron et al. showed that the MD scheme is not indif- 
ferentiable from a random oracle, and suggested a few modifications for the MD 
scheme so that all of these are indifferentiable from a random oracle. 

Hence, we now have a rigorous methodology for assessing the structural flaws 
of a hash function, such as the extension property of MD scheme, which was 
the main obstacle for adopting the simple constructions like the prefix construc- 
tion instead of HMAC. Now all we need is an actual design for hash function 
composition scheme which is efficient and structurally sound (in the sense of 
random oracle indifferentiability), and which admits a direct and efficient us- 
age as a MAC. Then in the future hash function design, we may adopt such a 
construction as an alternative to the MD scheme. 

Our Contribution. We propose a simple and efficient hash composition scheme. 
We call it Merkle-Damgard with a permutation (MDP). It is almost identical 
to the plain Merkle-Damgard scheme, but just before the last message block is 
processed, a permutation n is applied: for a message M = M\M 2 ■ ■ • M k , 

H(M) = F(it(F(---F(F(IV,M 1 ),M 2 )-- - )),M fc ). 

In this paper, we describe the MDP composition scheme, and prove that it 
satisfies many desirable security properties: 

— It is collision resistant if the underlying compression function is. 

— It is indifferentiable from a random oracle when a FIL random oracle is used 
as the compression function. 
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— It is also a PRF when keyed via the IV if the compression function is a PRF, 
secure against a (very mild) related-key attack when keyed via the chaining 
variable. In addition, if the compression function is also a PRF when keyed 
via the input message block, then MDP yields a PRF when key is prepended 
to the message: M i— ► H(K\\M) for a secret key K. 

— It is unforgeable if the underlying compression function is an unforgeable 
FIL MAC with a dedicated key input. 

Despite the miniscule modification MDP makes to the original MD scheme, we 
see that it has many benefits. MDP loses essentially none of the efficiency of the 
MD scheme. As categorized above, MDP preserves collision resistance, random 
oracle and unforgeability. Furthermore it ‘almost’ preserves PRF property, with 
a weak related-key assumption. So not only it gives a strong hash function, as 
a PRF it also gives a secure MAC mechanism which is twice as fast as HMAC 
for short messages. 

We also study the random oracle indifferentiability of MDP when the underly- 
ing compression function has some structure; we consider MDP with two specific 
type of compression functions. The one is a double-block-length (DBL) com- 
pression function of the form .F(s||a:) = /(s||a;)||/(p(s)[|a;), where / is a smaller 
compression function and p is a permutation. The other is the Davies-Meyer 
compression function. We show that MDP emulates a VIL random oracle if 

— / is a random oracle and 7 r and p are chosen appropriately in the DBL 
compression function F ; or 

— F is the Davies-Meyer compression function in the ideal cipher model. 

Related Works. A hash function composition scheme very similar to MDP was 
suggested before; in a public comment to a FIPS 180-2 draft, Kelsey m pro- 
posed a simple enhancement to SHA-2 hash functions, which was originally sug- 
gested by Ferguson. Their scheme is a special case of MDP, when the permutation 
7r is equal to 77 ( 2 ;) = x®C, where C is a fixed, non-zero offset. Their motivation 
was to eliminate the extension property of MD hash functions with least modi- 
fication. But, as far as the authors know, the security of this proposal was never 
rigorously proven before. 

While proposing indifferentiability from a random oracle as an important se- 
curity goal for a hash function, Coron et al. also proposed four constructions 
which satisfy indifferentiability from a random oracle nu, thereby proving that 
such schemes exist. Also, Bellare and Ristenpart proposed the EMD construc- 
tion ©. Probably it is the first paper that succeeded in finding a serious practical 
alternative to the MD scheme which meets the raised security goals (like, indif- 
ferentiability to a random oracle, among others). Similar to MDP, EMD is also 
a variant of the MD scheme. Also, EMD achieves essentially the same goals as 
MDP, but there are a few differences: 

— The structure of MDP is simpler than that of EMD; this is reflected in 
the fact that MDP is slightly more efficient than EMD, especially for short 
messages. 
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— When used as a MAC by key-via-IV strategy, MDP needs slightly stronger 
assumption than in the case of EMD; assuming that the compression function 
is secure as PRF under a very weak related-key attack, we prove that the 
keyed MDP is secure as a PRF. Therefore, at least for PRFness, MDP is not 
a ‘multi-property-preserving’ transform like EMD. 

— On the other hand, MDP needs only one key in the above situation, while 
EMD needs two separate keys, while achieving the security of only one key 
due to the divide-and-conquer attack. One may consider a one-key version 
of EMD by employing some key derivation function similar to the case of 
HMAC, but then one would need additional assumption on the compres- 
sion function, namely PRF-security under some related-key attacks, which 
is essentially the same type of assumption needed for MDP. 

— Given an MDP hash function H , one can use H as a black-box to obtain a 
secure MAC, by prefix construction H(K\\M). This seems to be difficult in 
the case of EMD. 

Chang et al. 0 further discussed the indifferentiability from the random ora- 
cle for the MD scheme with prefix-free encoding. They considered compression 
functions consisting of a block cipher m and DBL compression functions of the 
same form we considered. Nandi m introduced this formalization of a class of 
DBL compression functions and discussed the collision-resistance of hash func- 
tions composed of them. 

In studying MAC properties of MDP, we follow two directions. First, we show 
that MDP gives a very efficient MAC by showing its pseudorandomness under 
the assumption that the compression function is a PRF-security against a mild 
form of related-key attacks. For this, we use a restricted version of the notion of 
PRF-security against related-key attacks formalized and studied by Bellare and 
Kohno jS|. Essentially, the proof can be considered as a related-key version of 
the proof for prefix-free PRF security of the cascade construction given in 0 . 

We are also interested in seeing whether security of MDP as MAC can be 
proved under weaker assumptions, similar to the security of HMAC under a 
weaker-than-PRF assumption on the compression function 0. After An and 
Bellare 0 initiated such investigations, Maurer and Sjodin HO provided sev- 
eral transforms as well as a general security proof technique. As stated in 0, 
these works consider the setting where compression functions and hash functions 
are families indexed by a dedicated key, and only focus on MAC preservation 
when the underlying compression function is a MAC itself, namely, that it is an 
unforgeable FIL MAC. 

Recently, Bellare and Ristenpart 0 further considered several hash func- 
tion constructions in the dedicated-key setting, and provided a multi-property- 
preservation oriented treatment of them. 

Organization of the Paper. In Section 0 we provide basic definitions of PRFs, 
RKA-secure PRFs, indifferentiability, and unforgeability. We also fix notational 
conventions in this section. In Section 0 we formally define the MDP construc- 
tion. In Section 0 we analyze the security of MDP. Section 0 consists of three 
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parts; first, we prove that MDP is indifferentiable from a random oracle, and 
then prove that MDP gives a secure PRF under necessary assumptions. And we 
prove that MDP yields a secure MAC under a weaker-than-PRF assumption. In 
Section 0 we focus on the indifferentiability of MDP based on two specific types 
of compression function: one is a DBL compression function and the other is the 
Davies-Meyer compression function composed of a block cipher. Detailed proofs 
for several lemmas and theorems in Section 0] arc described in the full version of 
this paper PI 

2 Definitions 

Pseudorandom Functions. Let F : K. xD — > ft be a function family from V to 
ft indexed by keys K £ 1C. Usually we’ll use Fk(x ) as shorthand for F(K,x). 
Let Maps(ft,ft) denote the set of all functions / : V — > ft. Given an adversary 
A(g) with access to an oracle </(•), we define its PRF-advantage over F as 

Ad V P rf (A) = Pr \a{F k ) =► 1 1 K 4- /c] - Pr [A(p) =► 1 1 p 4- Maps(X>, ft)] 

Informally, we say that ft is a PRF when no efficient adversary A can have 
any significant PRF-advantage over F. 

RKA-Secure PRFs. Related-key attacks were considered in cryptanalysis of 
block ciphers, and many modern block ciphers are designed against such at- 
tacks. Bellare and Kohno jSJ first gave a formal definition to related-key attacks 
and provided a theoretical treatment. They extended the formal definition of 
PRFs to PRFs secure against related-key attacks (RKA-secure PRFs). 

According to the definition given by Bellare and Kohno, they consider a set P 
of related-key-deriving (RKD) functions <j> : K. — > 1C. As in the case of the plain 
PRFs, an adversary cannot access the given secret key K directly, but she can 
query the PRF with respect to other keys cj){K ) by selecting a RKD function cj> 
from i>. The set ( I> is a parameter of the definition, and it formalizes the varying 
capabilities of related-key adversaries on different situations. 

In this paper, we need only a very weak adversary in terms of related-key 
attacks: the RKD function set P consists of only two functions: P = {id, 7r}, 
where id : 1C —> 1C is the identity function, and n : JC — > JC is a permutation. We’ll 
refer this type of related-key attacks as the 7r-related-key attacks and formalize 
in the following way. Given an adversary A(g, g') with access to a pair of oracles 
<?(•) and <?'(•), we define its PRF-advantage over F with respect to 7r-related-key 
attacks as 

Ad v^ rka (A) = 

Pr [a(F k , F n(K) ) => 1 1 K 4- JC] - Pr [A(p, //)=*• 1 1 p, p' 4 Maps(ft, ft)] . 

Note that this formalism is equivalent to that of Bellare and Kohno, when 
F = {id, 7r} is used. 
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Again informally, we say that F is a 7r-RKA-secure PRF when no efficient ad- 
versary A can have any significant advantage over F. Since 7r-related-key attack 
is the only kind of related-key attacks that we consider in this paper, sometimes 
we’ll abuse the terminology and call F simply as a RKA-secure PRF. 

Indifferentiability. We use the indifferentiability framework jlblllj to assess the 
security of the MDP. Consider a cryptosystem C = C(F) with oracle access 
to an ideal primitive T . Also consider an ideal primitive Ft and a simulator 
S = S(Ft) which has oracle access to Ft. C is supposed to be a ‘construction’ 
involving T . For example, T could be a FIL random oracle, and C then could 
be the MD hash function using T as the compression function. The goal of the 
simulator S(Ft) is to mimic T in order to convince an adversary that Ft is C. 
Let A be an adversary with access to two oracles. We define the differentiability 
advantage of A against C with respect to S as: 

Adv£ ff s (A) = Pr [A(C(F),F) =► 1 ] - Pr [A(H, S(Ft)) * 1] . 

Informally, we say that C(fF) is indifferentiable from Ft if there exists a simula- 
tor S(Ft) so that no efficient adversary A can have any significant differentiability 
advantage against C with respect to S. 

Unforgeability. A MAC is a family of functions F : K, x M. — > C. The security 
of a MAC is measured via its resistance to existential forgery under an adaptive 
chosen-message attack. The MAC-advantage of a forger A over F is 

Ad v£ ac (A) = Pr[A(F K yt FK ) forges | K K\. 

A forger A queries to the oracle F K {-) for adaptively chosen messages and 
learns the corresponding tag values. It then returns a forgery (M, r). The forger 
A is considered successful if it makes a verification query (M, r) to the oracle 
V f f k ( * , * ) , and confirms that F K (M) — r but M was not queried to F K (-). We 
refer to a forger A of this kind as a (t, q, l, e)-forger if Adv™ ac (A) > e, where t, q 
and l are upper bounds on the running time, the number of messages, and the 
maximal length (in bits) of each oracle query including the forgery message M, 
respectively. Informally, a MAC is considered secure against existential forgery 
under an adaptive chosen-message attack, if there is no (t, q. I, e)-forger, even for 
very high values of t , q and l, and very small values of e. 

Notation. Let b be the size of the message blocks, and c the size of the chaining 
variables. As usually is in popular hash functions, we assume that c < b. Then 
the compression function F(s,x ) has the following form: 

F: {0,1} C X {0,1} 6 ^{0,1} C . 

Let C = {0, 1} C and B = {0, l} 6 to abbreviate the above as F : C X B — > C. 

We denote by Mi\\M 2 the concatenation of bitstrings Mi and M 2 . We will 
often abbreviate Mi||M 2 || • • • || Mk simply as MiM 2 • • • M k . Let B l be the set of 
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all messages of form M\M 2 ■ ■ ■ M i: where Mj G B for all j = 1, . . . , i. Clearly, 
B° = {e}, where e means the null bitstring, the bitstring of length 0. Let’s define 
B* = U^ 0 B\ B+ m U gjB*, and B^ k = ujLjBV 

We will process messages block by block. The notation M\M 2 ■ • • <— 

parse(M) will mean that M = Mi||M 2 || •• • [| M*, and |Mj| = b for all i — 1, 

. . . , k — 1, and \Mk\ < b. We denote by s <— S the operation of selecting a ran- 
dom element from S (the uniform probability distribution over S is assumed). 

We sometimes use the O-notation. This is not about asymptotics, but we 
use this notation to hide unimportant small constants which are dependent on 
specific machine formalisms, and whose values can be determined from the proof. 

3 The MDP Construction 

Given F : C x B — ► C, we define F* : C x B* — ► C as follows: 

T. r\ def i s if k = 0, i.e., M = e, 

F (s, M) = < 

v ' otherwise, 

for M = Mi M 2 ■ ■ ■ M k (Mi G B for all i). This is the plain Merkle-Damgard 
iteration of F. Now we define F° : C x B + — > C as follows: 

F°(s, MiM 2 ■■■M k ) = F(ir(F*(s, M x ■ ■ ■ M k ). 

where n is a permutation applied right before the last iteration, n is a fixed 
permutation given as a parameter of the definition. We require both n and 7r _1 
to be efficiently computable. Often we omit n from the notation F° and simply 
write F°. 

The domain of F° is B + = U = U^ 1 {0, l} 6 *. In order to let MDP 
process messages of arbitrary lengths (up to 2 l , for some large number l satisfying 
0 < l < b), we have to use a padding function pad : U?= 0 {0, 1 } l —> B + with the 
following property: the last block of pad (M) encodes the /-bit representation of 
the length \M\ of M. For example, the SHA-l’s padding rule could be used. 

Finally, given a compression function F : C x B — > C, a padding function 
pad, a permutation tt, and a fixed IV IV G C, we formally define the MDP 
(Merkle-Damgard with a Permutation) hash function as 

MDP (M) = Ft (IV, pad (M)). 

When we want to emphasize the dependency of MDP(M) to F and n, we 
sometimes use the notation MDP[F, 7r](M). 

Figure El illustrates the structure of MDP. One can consider the MDP con- 
struction as a minor variant of the MD scheme with the MD strengthening. 
Therefore the efficiency of the MDP is exactly the same as the Strengthened 
MD (SMD). 

More precisely, let’s write the number of compression function invocations 
needed to compute the hash value of an ^-bit string as N(£). Suppose that we 
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Fig. 1. The structure of MDP 

use the padding function similar to the padding function of SHA-1: given a 
message M of length l, append the bit ‘1’ to the end of the message, followed 
by k zero bits, where k is the smallest non-negative solution to the equation 
£ + 1 + k = b — l (mod b). Then append the Z-bit representation of the number 
l. In case of SHA-1, we have b = 512, and l = 64. Then for MDP (and SMD), 
the following holds: 

if l mod b<b—l, 

| + 1 otherwise. 

For comparison, this is slightly better than the efficiency of EMD; for EMD 
the following holds: 

N(i) = / rfl if £ mod b <b — c — l, 

| |"f ] + 1 otherwise 

Concretely, if we take the parameters of SHA-1, that is, b = 512, c = 160, 
and l = 64, then for messages of length between 288 and 447, EMD needs one 
more invocation than MDP. On the average, EMD needs c/b more invocations 
of the compression function than MDP. Again with the parameters of SHA-1, 
c/b « 0.31. 

4 Security of MDP 

In this section, we study the security of MDP and prove that MDP indeed meets 
all the security goals that we wanted. 

4.1 Collision Resistance 

First, MDP is collision-resistant. Given a collision-resistant compression function 
F, MDP construction from F is also collision-resistant. The proof is trivial; since 
the structure of MDP is very similar to the MD scheme, we may follow the proof 
of collision resistance of the MD almost verbatim. 

4.2 Indifferentiability from Random Oracle 

We show that MDP is indifferentiable from a random oracle H, when a FIL ran- 
dom oracle T is used as the compression function. Therefore we need a simulator 
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Initialize: 

V <- S <- {IV} 

Interface F{ s , x): 

100: V*-VU{s} 

101: if F(s,x) = _L then 
102: if s € S then 

103: *^C\(VU7r{5):yi'ff _1 (V)UiBr} 

104: 5^SU{t} 

105: F(s,x)<-t 

106: else if 7r -1 (s) € S then 

107: F(s,x) <— TL(M\\x), where F*(IV, M) = 7r -1 (s) 

108: else 

109: F(s,x)<?-C 

110: VU{F(s,i)} 

111: return F(s,x) 


Fig. 2. Pseudocode for the simulator Sy 


Sy so that no efficient adversary can distinguish (or rather, differentiate) the pair 
(MDP[lF. tt], F) from the pair (71, Sy). We will use the simulator illustrated in 
Figure 121 

<Sy maintains a structure F(s. x) where it stores previously selected value 
of the query Sy(s,x). Initially F(s,x ) =» .Jt for all s and x, where _L means 
undefined. Sy - also maintains two sets V and S. Both are initially set to the 
singleton set {IV}. As more queries are inquired, new elements are added to the 
sets. Note that elements never leave the sets. 

When queried Sf(s,x), if F(s, x) = _L, Sy will choose a value t randomly 
depending on the algorithm in Figure 0 and define F(s,x ) <— t. If we consider 
the labeled directed graph G whose edges are s F(s,x) for all F(s,x) y ® 
then we can see that V denotes the set of all vertices of G. On the other hand, 
S is then the set of all vertices that can be reached by following a path from 
the vertex IV. In order to prove the indifferentiability of MDP, we need a few 
lemmas about the simulator Sy: 

Lemma 1. At any time during the execution of the simulator Sy, if s £ S for 
some s, then F*(IV , M) = s for some M. Conversely, if F*(IV, M) y _L, then 
F*(IV,M) eS. 

Lemma 2. Suppose that both F*(IV,M ) and F*(IV,M') are defined. Then, 
F*{IV, M) = F*{IV , M’) if and only if M=M'. 

Lemma 3. Suppose that both F*(IV,M ) and F*(IV,M') are defined. Then, 
F*(IV,M) y ir(F*(IV,M')) and F*{IV,M) y tt~ 1 (F*(IV , M')). 

Lemmas 0 and 0 essentially say that the subgraph S of V is in fact a rooted tree 
with IV as the root. Note that, because these three lemmas are only about the 
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subgraph S, as long as the lines 102 to 105 are intact, the lines 106 to 109 do 
not change the validity of the lemmas. Also, due to Lemma [□ and El the line 107 
in the pseudocode in Figure El works correctly. We will omit the proofs of the 
three lemmas since they are straightforward. 

The basic intuition involved in the pseudocode of S F is this: the permutation 
7r disrupts the extension property of the MD scheme if it has only a small number 
of fixed points and IV is not a fixed point. Now, the best strategy of an adversary 
seems to be computing F*(IV, M) for various messages M (by querying the FIL 
oracle), until one of the following happens: 

— The adversary finds two distinct messages M, M' such that F*(IV,M) = 
F*(IV , M’)\ in this case, we have H(M\\P) = H(A4'\\P) for any message 
block P, if H is the MDP. But the probability of this equality is very low, if 
H is a true random oracle. 

— The adversary finds two distinct messages M, M’ such that F*(IV,M ) = 
n(F*(IV,M')): in this case, we have H(M\\P\\Q) = F(n(H(M'\\P)),Q) for 
any message block P and Q, if H is the MDP. But similarly the probability of 
this equality is very low, if H is a true random oracle, because the simulator 
which selects the value F(tt(H(M'\\P)),Q) has information about Q, but it 
doesn’t have access to the adversarial choice of P. 

Other minor strategy is to find a message M such that F*(IV,M) is a fixed 
point of 7r or a part of a previous query to F. 

The simulator Sfy is designed so that Lemmas |T| El and 0 hold, which delays 
the above failing situations as late as possible. This is achieved by careful ex- 
pansion of the tree S at line 103. Note that by birthday attack, the attacker can 
eventually find the message pair M, M' satisfying F*(IV, M) equals F*(IV, M') 
or n(F*(IV, M')). Therefore, MDP can be indifferentiable from a random oracle 
only up to the birthday bound 0 

Now, the indifferentiability of MDP is expressed in the next theorem. 

Theorem 1. Let A be an adversary distinguishing the pairs (M DP[.F, 7r] , F) and 
{TL, S F ), where the simulator S F is defined in Fig. OJ Let n be a permutation on 
C and P n be the set of its fixed points such that IV P n . Then, 

AJ diff , aa / Hkv + qp)(Zlqv +fF + l) , IqvQF , \Pn\i2lqv + q F ) 

A dv M DP[;r,7r],s^(A) < + + 2~ c ’ 

where q F is the number of queries to the FIL oracle, and qv the number of 
queries to the VIL oracle. I is the maximum number of message blocks for each 
VIL query, c is the size of the chaining variables. Moreover, S F makes at most 
q F queries and runs in time 0(q F 2 ). 


2 MDP, being random-oracle indifferentiable, prevents the extension property. But 
once a colliding message pair due to an internal MD collision is found, for example 
by birthday attack, or by insecurity of the compression function, any common suffix 
can be added to the message pair. This serious effect of extension attacks is not 
resolved by MDP (nor by other similarly proposed composition schemes). 
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4.3 MDP Yields Secure PRFs 

In this section, we show that when the compression function F is a PRF secure 
against 7r-related-key attack, then MDP yields a secure PRF. This construction 
could be used as an alternative to HMAC or NMAC. 

In order to use MDP as a PRF, we need to provide a keying strategy to MDP. 
We may consider at least two straightforward such approached 

— Keyed-MDP: We may use a secret key K «— C instead of the fixed IV, and 
define a MAC scheme out of MDP by KMDP^ (M) = F°(K, pad(M)). 

— Prefix-MDP: Given a message M and a key K B, we define PMDP/f (M) = 

MDP(K||M), i.e., the secret prefix construction. Note that PMDP^(M) = 
KMDP F (i V , K )(M). Although less efficient than Keyed-MDP, this has a ben- 
efit that it may use the underlying hash function as a black-box. 

Remark 1. If KMDPx(M) were a secure PRF whenever F is a secure PRF, then 
we may say that MDP preserves the PRF property, in the sense of Bellare and 
Ristenpart Unfortunately this is not the case; if, for example, F satisfies 
F k ( x) = F 7r ( if )(a;) for any K and x, then the MDP construction reduces to the 
plain Merkle-Damgard scheme, which is vulnerable to the extension attack. 


Related-Key Multi-oracles. In order to prove the security of the two MAC 
schemes, first we need to introduce the notion of multi-oracle distinguishers. 
This was first given in in order to prove that, if the MD scheme is keyed via 
IV, then the resulting iterated construction is PRF with respect to prefix-free 
adversaries. What we actually need is not this notion itself, but an extension of 
it, which we call the related-key multi-oracle distinguisher. 

Given a 7r-RKA-secure PRF F, consider the problem of distinguishing a 2m- 
tuple of instances of F, from a 2m-tuple of independent random functions. But, 
for the 2m-tuple of F, we choose m of the keys K\, ... K rn randomly and inde- 
pendently, and use n(Ki), . . . , n(K m ) as the other m keys. That is, we would 
like to distinguish the distribution of the following 2m-tuple of functions: 


{Fk i , F n (#,), . . . , F Km , F^ Km )) 


from that of 2m-tuple of independent random functions. 

We define the advantage of a distinguisher A(gi,g[, . . . ,g m ,g' m ) with access 
to 2m oracles gi, g [ , <? 2 , g'%, ■ ■ ■ , g m , g' m as follows: 

Adv™r- rka (A) = Pr [a(F Ki , #V (Kl) , ...,F Km , F^ Km) ) =* 1 1 Ki, . . . , K m 4 - c] 

- Pr => l\pi, p' x , . . . , pm, Pm Maps(B,C)] 


3 We may consider Keyed-MDP as analogous to NMAC, and Prefix-MDP as analogous 
to HMAC. 
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Lemma 4 (Related- Key Multi-oracle Lemma). Suppose that A is a distin- 
guisher with access to 2 m oracles g \ , g [ , . . . , g rn , 9' m , as above, and suppose that 
A has time- complexity at most t, and makes at most q queries. Then we can 
construct an adversary B{g,g') attacking the n-RKA-security of F such that 

Adv”^ rf ' rka (A) = m ■ Adv^ rka (R). 

B makes at most q queries. And the running time of B is bounded by 
t + 0{q ■ Time(F) + qb log q + qc). 

Security of Keyed-MDP. Now that we have LemmaEl we prove the following 
lemma which connects the PRF-security of the Keyed-MDP with the related-key 
multi-oracles: 

Lemma 5 (Reduction to the Related- Key Multi-oracle). Let A be a 

PRF-adversary against KM DP. Suppose that A has time- complexity at most t, 
and makes at most q queries, and each query has the length at most l. Then we 
can construct a related-key multi-oracle distinguisher B(gi,g[, . . . , g q , g' q ) with 
access to 2 q oracles so that the following holds: 

Adv KMDp( A ) = ^ ■ Adv ff,F (-®)‘ 

B makes at most q queries, and the running time of B is bounded by 
t+ 0(q((l - l)(61ogg + Time(F)) +c)). 

Combining Lemma 0| and 0 we obtain the following theorem: 

Theorem 2 (PRF-Security of Keyed-MDP). Let A be a PRF-adversary 
against KM DP. Suppose that A has time- complexity at most t, and makes at 
most q queries, and each query has the length at most l. Then we can construct 
an adversary B(g, g') against the n-R.KA-secure PRF F such that 

Adv KMDp( A ) = l( l ■ Adv ^F rka ( S )' 

B makes at most q queries, and the running time of B is bounded by 
t + 0{lq{b\og q + Time(F) + c)). 

Security of Prefix-MDP. We prove the security of the Prefix-MDP scheme 
by lifting the security proof for the Keyed-MDP. Remember that 

PMDP k (M) = MDP(K||M) = KMDP f{iv ,k)(M). 

Hence, here we have to regard F(s,x) as a function family indexed by the data 
input x. We express this formally by defining a dual function family F : BxC — > C 
of F: 

F(K,x) = F(x,K). 

In order to prove the security of the Prefix-MDP, in addition to the previous 
assumption that F is a 7r-RKA-secure PRF, we also need to assume that F is a 
PRF when keyed by its data input, i.e., F is a PRF. Then we have: 
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Lemma 6. Let A be a PRF-adversary against PM DP that has time- complexity 
at most t. Then we can construct a PRF-adversary Bp(g) against the dual PRF 
F such that 

Adv PMDp( A ) = Adv KMDp( A ) + Ad V P p { (Bp). 

Furthermore, Bp has time complexity at most t, and makes only 1 oracle query. 

Theorem 3 (PRF-Security of Prefix- MDP). Let A be a PRF-adversary 
against PM DP. Suppose that A has time- complexity at most t, and makes at 
most q queries, and each query has the length at most l. Then we can construct 
an adversary Bp(g, g') against the n-RKA-secure PRF F, and a PRF-adversary 
Bp(g) against the dual PRF F so that 

Adv^op (A) = lq • Ad v^ rka (S F ) + Advf(Bp). 

Furthermore, Bp has time complexity at most t, and makes only 1 oracle query. 

Remark 2. Even if F is a secure PRF, it could be vulnerable to a 7r-related-key 
attack. For example, Contini and Yin m exhibited a related-key distinguish- 
ing attack on the keyed MD5 compression function using pseudo-collisions of 
MD5 0. This attack shows that the keyed MD5 compression function is not a 
good 7r-RKA-secure PRF, when n(x) = x CD A. 

Remark 3. Kim et al. sa. and also Contini and Yin m, showed how to con- 
struct various attacks on HMAC and NMAC using weakness of keyed compres- 
sion functions like MD4. The same attacks will work against PMDP under the 
same keyed compression functions. 


4.4 Unforgeability Preservation 

We may use MDP as a MAC under a different keying strategy from the above 
section. Now, we consider MDP in the dedicated-key setting, where a compres- 
sion function is a MAC F\1CxCxB^C with a dedicated key input. 

Theorem 4. Let w be a permutation on C with no fixed point. Let A be a 
(t,q,l,e)-forger of MDP[F, 7r] . Then we can construct a [t' ,q' ,V ,e')- forger B 
attacking the FIL MAC F, where q' = qN(l) + N(l ) — 1, l' = b + c, and 
e' = 2e/(3 q' 2 + 3 q' + 2). Also, the running time t' is essentially that of A with 
some small overhead that is obvious from the construction of B m- 

5 Further Results on Indifferentiability 

5.1 MDP with a Double-Block-Length Compression Function 

A compression function F is called double-block-length (DBL) if it is composed 
of a smaller compression function / and the output length of F is twice as large 
as that of /. We consider a DBL compression function of the form defined in the 
following definition. 
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Definition 1. Let c be an even integer, and / : C xS — > {0, 1} C / 2 . F : Cx B — > C 
is a DBL compression function such that F(s,x) = f(s,x)\\f(p(s),x), where 
s £ C, x £ B, and p is an involution on C with no fixed points. 

The following theorem states that MDP[F, 7r] is indifferentiable from a VIL ran- 
dom oracle if / is a FIL random oracle and n is chosen appropriately. 

Theorem 5. Let F be a DBL compression function defined in Definition 0 Let 
n be a permutation on C and P '„ iP = {u\u £ C, and n(u) = u or p(u)}. Let A 
be an adversary distinguishing the pairs (MDP[.F, Tt\,F) and ( H,S f ), where the 
simulator ,SV is defined in Fig. 0 Suppose that IV 0 P n , p . Then, 

AJ diff / 4 \ ^ 7(kv — qf){31qv - qf - 1) -+- iqvQr - 1 K.pK'iiqv - qp) 

Adv MDP[y,ir],Sj r .WS ^ ! 

where qF is the number of queries to the FIL oracle, and qy the number of 
queries to the VIL oracle. I is the maximum number of message blocks for each 


Initialize: 


V 

<- S <- {IV} 


Interface F(s, x)-. 


100 

V-VU {s,p(s)} 


101 

if F(s,x) = _L then 


102 

if s £ 5 then 


103 

t 4- C \ (V U 7 r(«S) U 7r _ 1 (V) U p(V) U p(ir(S)) U tt" 

1 (p(V))U P w , p ) 

104 

S<-5U{t} 


105 

F(s,x)^t 


106 

F(p(s),x) <- swap(t) 


107 

else if p(s ) £ S then 


108 

i^-C\(VU n(S) U 7t _ 1 (V) U p(V) U p(vr(S)) U w~ 

1 (p(V))u p.,) 

109 

S^SU{t} 


110 

F{p{s),x) *— t 


111 

F{s,x) <- swap(t) 


112 

else if 7T _1 (s) £ S then 


113 

F{s,x) <- H{M\\x), where F*(IV,M) = ir '(«) 


114 

F(p( S ),x)^swap(F( S ,x)) 


115 

else if 7r 1 (p(s)) £ S then 


116 

F{p(s),x)^H(M\\x), where F*(IV,M) = n~ 1 (p(s)) 

117 

F(s,x) e- swap(F(p(s),x)) 


118 

else 


119 

F(s,x) 4-C 


120 

F{p{s),x) <— swap(F(s,a:)) 


121 

V <— V U {F(s, x),F(p(s),x)} 


122 

return F(s,x ) 



Fig. 3. Pseudocode for the simulator Sr- swap(ii \\i 2 ) = t2pi for every L, I 2 £ 

(0, i} c/2 - 
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VIL query, c is the size of the chaining variables. ,SV makes at most qF queries 
and runs in time 0(qF 2 ). 

In Theorem El a simulator is prepared for F instead of /. Let p be a permutation 
onCxB such that p(s, x ) = (p(s). x). Since p has no fixed points and pop is an 
identity permutation, so does p. Since p o p is an identity permutation, f(s, x ) 
and f(p(s,x)) are only used for F(s,x ) and F(p(s,x)) for every (s,:r) SC x B. 
Thus, F(s, x) and F(s', x') are random and independent of each other if (s', x') ^ 
p(s,x), since / is a random oracle. Moreover, since p has no fixed points and 
F(s, x) = f(s, x)\\f(j)(s. x)), the first half and the second half of F(s, x) are also 
random and independent of each other. Thus, as is shown in Fig. 0 Sjr can 
randomly select an output of F for each query. 


5.2 MDP with the Davies-Meyer Compression Function 

In this section, we consider the case that F is the Davies-Meyer compression 
function HE! composed of a block cipher. We show that MDP[T', 7 r] is indifferen- 
tiable from a VIL random oracle if the underlying block cipher is ideal. 


Initialize: 

Interface T>(x, u ): 


V 

^S^{IV} 

200 

if D x ( u ) = T then 


V(x) - Q(x) <- C 

201 

for every s € S do 




202 

if u ® H(M\\x) = 7r 

is) 

Interface £(x, s): 




100 

V^VUjs} 

203: 

N <— N U {s}, where 

101 

if E x (s) = T then 


F*(IV, M) = s 


102 

if s £ S then 

204 

if |N| > 2 then 


103 

E x (s) Q(x) \ S bad 

205 

return fail 


104 

Sf-SU{B,(s)©s} 

206 

else if |N| = 1 then 


105 

else if 7r _ 1 (s) £ S then 

207 

if 7 r(s) 0 V(x) then 


106 

u <— Tt(M\\x) ® s, where 

208 

return fail 



F*(IV, M) = 7r _1 (s) 

209 

else 


107 

if u £ Q(x ) then 

210 

D x (u) ^ tt(s) 


108 

return fail 

211 



109 

110 

elS< k( S ) e- u 

212 

eSB D x (u) 4- V(x) 

(S U 7r(<S)) 

\ 

111 

112 

E x (s) 4- Q(x) 

213 

214 

VU{D x (u),D x (u)© 
V(x)^V(x)\{ D x (u)} 

u} 

113 

V *- V U {E x (s) ® s} 

215 

Q(x) «- Q(x) \ {«} 


114 

115 

V(x) +- V(x) \ {s} 
Q(x)^Q(x)\{E x (s)} 

216 

return D x (u) 


116 

return E x (s) 





Fig. 4. Pseudocode for the simulator Ss and S-d- S b ad = {u©s | u € VU7r(5)U7r 1 (V)U 

P*}- 
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A block cipher with the block length c and the key length b is called a (c, b ) 
block cipher. Let E : B X C — > C be a (c,b) block cipher. Then, E(K, •) = E K (-) 
is a permutation for every K £ 13, and D(K, •) = Dk(-) = Ek~ 1 (■). E is called 
an ideal cipher if Ek is a truly random permutation for every K G B. 

Theorem 6. Let F : C X B — > C be the Davies-Meyer compression function 
with an ideal ( c,b ) block cipher E, that is, F(s,x) = E x (s) ® s. Let A be an 
adversary that asks at most qy queries to the VIL oracle, q Fo queries to the 
FIL encryption oracle and q Fl queries to the FIL decryption oracle. Let l be the 
maximum number of message blocks for each VIL query. Suppose that Iqy + 
Qf 0 + ?Fi < 2 C_1 . Then, 

A , A \ ^ 13 (Iqv + qF 0 + q Fl ) ( 2lqv + q Fo + q Fl ) + | P* \ (3 lqv + q Fo ) 

AdVMop^j^.g.plA) < , 


where the simulators Ss and Sx> are given in Fig. Ss is a simulator for 

the encryption oracle, and Sv for the decryption oracle. Ss makes at most q Fo 
queries and runs in time O(qF o (qF 0 + 9fJ)- St> makes at most q Fo ■ q Fl queries 
and runs in time O(qF 1 {qF 0 + ?fJ)- 
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Abstract. Nearly all modern hash functions are constructed by iter- 
ating a compression function. At FSE’04, Rogaway and Shrimpton (2E1 
formalized seven security notions for hash functions: collision resistance 
(Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) 
and preimage resistance (Pre, aPre, ePre). The main contribution of this 
paper is in determining, by proof or counterexample, which of these 
seven notions is preserved by each of eleven existing iterations. Our 
study points out that none of them preserves more than three notions 
from |2SJ ■ As a second contribution, we propose the new Random-Oracle 
XOR (ROX) iteration that is the first to provably preserve all seven 
notions, but that, quite controversially, uses a random oracle in the iter- 
ation. The compression function itself is not modeled as a random oracle 
though. Rather, ROX uses an auxiliary small-input random oracle (typ- 
ically 170 bits) that is called only a logarithmic number of times. 

1 Introduction 

Cryptographic hash functions, publicly computable maps from inputs of arbi- 
trary length to (short) fixed-length strings, have become a ubiquitous building 
block in cryptography. Almost all cryptographic hash functions are iterative: 
given a compression function F that takes ( n + 6 ) bits of input and produces 
n bits of output, they process an arbitrary length input by dividing it into 6-bit 
blocks and iterating F appropriately. The widely used Strengthened Merkle- 
Damgard (SMD) construction is known to yield a collision-resistant iter- 

ated hash function if the underlying compression function is collision resistant; 
in other words, SMD preserves collision resistance of the compression function. 

Unfortunately, designing collision resistant compression functions seems quite 
hard: witness the recent collision attacks on several popular hash functions by 
Wang et al. . One way out is to aim for a weaker security notion for the 

compression function, but not so weak as to make the resulting hash function 
useless in practice. A natural question to ask is whether these weaker proper- 

* Extended abstract; we refer to the full version P for more details and proofs. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 130- |l46] 2007. 
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ties are also preserved by SMD. For example, does it preserve second-preimage 
resistance? One may think so, because SMD preserves collision resistance, and 
collision resistance can be shown to imply second-preimage resistance, but this 
says nothing about what happens if you start with a compression function that is 
only second-preimage resistant. Lai and Massey [03 claimed that finding second 
preimages for an iterated hash is equally as hard as finding second preimages 
for the compression function, but this was found to be incorrect by Dean m 
and Kelsey and Schneier HE!, who show that (for the case of SMD) efficient 
collision-finding attacks immediately give rise to second-preimage attacks that 
beat the anticipated security bound. 

Contributions. We took as a starting point a paper by Rogaway and Shrimp- 
ton m that provides a unifying framework of seven security notions for hash 
functions and the relations among them. Our work explores in detail which of the 
seven properties of |2BI are preserved by several published hash constructions. 
Of the eleven schemes we consider (see Table HJ , we found that in fact none pre- 
served all seven. This raises the question whether it is possible at all to preserve 
all seven properties. We answer this question in the affirmative, in the ran- 
dom oracle model jEj , by presenting a construction that builds on previous work 
by Bellare, Rogaway, Shoup and Mironov |7I31 12 3j . Our construction iterates a 
real-world compression function but, in the iteration, makes a logarithmic (in 
the message length) number of calls to an auxiliary small-input random oracle; 
we will say more in a moment to justify this choice. The existence of seven- 
property-preserving iterations in the standard model is left as an open problem. 
Relevance of the Seven Properties. Apart from collision-resistance, Rog- 
away and Shrimpton consider three variants of second-preimage resistance (Sec) 
and preimage resistance (Pre). The standard variants of Sec and Pre are re- 
stricted to randomly chosen preimages, and have important applications like the 
Cramer-Shoup cryptosystem m for Sec and Unix-like password storage |liSI31| 
for Pre. The stronger everywhere variants (eSec, ePre) consider adversarially cho- 
sen preimages. The notion of eSec is equivalent to the universal one-way hash 
functions of Naor and Yung HE! and to the target collision resistance of Bellare 
and Rogaway 0 ■ Bellare and Rogaway show that eSec is sufficient to extend the 
message space of signature schemes that are defined for small messages only. 

Following the standard convention established by Damgard HU, and Bellare 
and Rogaway HI, these notions were formalized for hash function families, in- 
dexed by a (publicly known) key K . Current practical hash functions however 
do not have explicit keys. In fact, it is not even clear what the family is that 
they belong to, so it is rather contrived to regard SHA-256 as a randomly drawn 
member of such a family. Instead, the always-notions aSec and aPre capture 
the intuition that a hash function ought to be (second-)preimage resistant for 
all members of the family, so that it doesn’t matter which one is actually used. 
Alternatively, one could see the aSec and aPre notions as the the natural exten- 
sions to (second-)preimage resistance of Rogaway’s human-ignorance approach to 
collision-resistant hashing with unkeyed compression functions J2Z| ■ (See j2j for a 
subsequent work on property preservation for iterations of unkeyed compression 
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Table 1 . Overview of constructions and the properties they preserve. Each row in the 
table represents a hash function construction, each column a security notion of |2%| . 
The symbol “Y” means that the notion is provably preserved by the construction; “N” 
means that it is not preserved, in the sense that we come up with a counterexample; 
“?” means that neither proof nor counterexample are known. Underlined entries were 
known, all other results are new. 


Scheme 

Coll 

Sec 

aSec 

eSec 

Pre 

aPre 

ePre 

Strengthened MD Kaill 


N 

N 


N 

N 

Y 

Linear Q 

N 

N 

N 


N 

N 

Y 

XOR-Linear □ 

Y 

N 

N 

Y 

N 

N 

Y 

Shoup’s IMOI 

Y 

N 

N 

Y 

N 

N 

Y 

Prefix-free MD E3 


N 

N 

N 

N 

N 

Y 

Randomized E| 

Y 

N 

N 

N 

N 

N 

Y 

HAIFA 0 

Y 

N 

N 

N 

N 

N 

Y 

Enveloped MD 0 

Y 

N 

N 

N 

N 

N 

Y 

Strengthened Merkle Tree |2D| 

Y 

N 

N 

N 

N 

N 

Y 

Tree Hash [? 

N 

N 

N 

N 

N 

N 

Y 

XOR Tree Q 

? 

? 

N 

? 

Y 

N 

Y 

ROX 

Y 

Y 

Y 

Y 

Y 

Y 

Y 


functions.) In this sense, the aSec and aPre notions strengthen the standard no- 
tions of second-preimage resistance and preimage resistance, respectively, in the 
way needed to say that a fixed function such as SHA-256 is Sec and Pre secure. 
They therefore inherit the practical applications of Sec and Pre security, and are 
thus the right notions to consider when instantiating Cramer-Shoup encryption 
or Unix-like password storage with a fixed function like SHA-256. The formal 
definitions of all seven notions are recalled in Section 0 

Existing Constructions. Let us now take a closer look at a number of existing 
constructions to see which of the seven notions of m they preserve. Our findings 
are summarized in Table 0 which we see as the main research contribution 
of our paper. Except for the few entries in the table with question marks, we 
come up with either proofs or counterexamples in support of our claims. We 
found for example that the ubiquitous SMD construction preserves Coll and 
ePre security, but surprisingly fails to preserve any of the other notions. Of the 
eleven schemes in the table, none preserves all seven notions. In fact, the best- 
performing constructions in terms of property preservation are the XOR Linear 
hash and Shoup’s hash, which still preserve only three of the seven notions (Coll, 
eSec, and ePre). The XOR Tree hash is the only iteration to preserve Pre, and 
none of the schemes preserve Sec, aSec or aPre. Remember that the latter two 
are particularly relevant for the security of practical hash functions because they 
do not rely on the compression functions being chosen at random from a family. 
Preserving All Properties: The ROX Construction. This rather poor 
state of affairs may leave one wondering whether preserving all seven notions 
is possible at all. We answer this question in the affirmative, but, quite contro- 
versially, were only able to do so in the random oracle model. We explicitly do 
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not model the compression function itself as a random oracle however. While 
we view the main interest of our construction to be a feasibility result for seven- 
property-preserving hashing, we do have reasons to believe that our construction 
makes very “reasonable” use of the random oracle. Allow us to explain. 

Our Random-Oracle-XOR (ROX) construction draws largely on the XOR- 
linear hash 0 and Shoup’s hash m- The latter is an extension of SMD where 
a logarithmic (in the message length) number of masks are XORed into the 
chaining value. We take the same approach, but have the masks generated by 
applying a random oracle to 170-bit inputs, for a security level of 80 bits. To 
hash an Ablock message, we query the random oracle on a number of domain 
points that is logarithmic in £. This limited use of the random oracle has the 
important practical ramification that the function instantiating it need not be 
as efficient as the compression function, and can therefore be made with large 
security margins. We’ll come back to candidate instantiations in Section 0 

The idea of generating the masks through a random oracle is not new; in fact, 
it was explicitly suggested at two separate occasions by Mironov j23l24| . The 
idea was discarded in m for trivializing the problem, but was revisited in m 
as a viable way to obtain shorter keys for eSec-secure hashing. Indeed, if one 
assumes the existence of random oracles with very large domains, then one can 
simply use the random oracle to do the hashing. The ROX construction, on the 
other hand, still uses a real compression function in the chaining, and uses a 
small-domain random oracle to preserve all seven notions of m using a very 
short key, including the important aSec and aPre notions Q Moreover, we do 
so without changing the syntax of the compression function 0 or doubling its 
output size [IH! , both of which can come at a considerable performance penalty. 
What About Other Properties? The seven security notions formalized 
by |2B| are certainly not the only ones that are of interest. Kelsey and Kohno H3 
suggest chosen-target forced-prefix security, which can be seen as a special form 
of multi-collision resistance, as the right goal to stop Nostradamus attacks. 
Bellare and Ristenpart 0, following previous work by Coron et al. 0 and 
Bellare et al. 0, formalize pseudorandom oracle preservation (PRO-Pr) and 
pseudorandom function preservation (PRF-Pr) as goals. Their EMD construc- 
tion is shown to be PRO-Pr, PRF-Pr and to preserve collision resistance. More 
recently, and independently of this work, Bellare and Ristenpart jS] study the 
Coll, eSec, PRO, PRF, and MAC (unforgeability) preservation of various itera- 
tions, including the SMD, Prefix-free MD, Shoup, and EMD iterations that we 
study. Their work does not cover the five other notions of ESI , while our work 
does not cover the PRO, PRF, and MAC properties. We leave the study of the 
preservation of these properties by our ROX construction to future work. 


1 While ROX itself is an explicitly keyed construction, its preservation of aSec/aPre 
implies that the instantiating compression function need not be. Indeed, when in- 
stantiated with a fixed aSec/aPre-secure compression function like SHA-256, then 
the resulting iterated hash is aSec/aPre-secure and therefore also Sec/Pre-secure. 
ROX thereby provides a secure way of iterating unkeyed (second-)preimage resis- 
tant compression functions. 
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2 Security Definitions 

In this section, we explain the security notions for hash functions of (23- Let 
us begin by establishing some notation. Let N = {0, 1, . . .} be the set of natural 
numbers and {0, 1}* be the set of all bit strings. If k G N, then {0, l} fe denotes 
the set of all fc-bit strings and {0, l} fcx * denotes the set of all bit strings of 
length an integer multiple of k. The empty string is denoted s. If b is a bit then 
b denotes its complement. If ir is a string and i G N, then aW is the i-th bit 
of x and x l is the concatenation of i copies of x. If x, y are strings, then x\\y is 
the concatenation of x and y. If k, l G N then (k)i is the encoding of k as an 
/-bit string. We occasionally write (k) when the length is clear from the context. 
If S is a set, then x 4- S denotes the uniformly random selection of an element 
from S. We let y <— A(x) and y <— A(x) be the assignment to y of the output of 
a deterministic and randomized algorithm A, respectively, when run on input x. 

An adversary is an algorithm, possibly with access to oracles. To avoid trivial 
lookup attacks, it will be our convention to include in the time complexity of an 
adversary A its running time and its code size (relative to some fixed model of 
computation). 

Security Notions for Keyed Hash Functions. Formally, a hash function 
family is a function H : K x M — > y where the key space K, and the target space 
y are finite sets of bit strings. The message space M could be infinitely large; 
we only assume that there exists at least one A € N such that {0, 1} A C M. 
We treat (fixed input length) compression functions and (variable input length) 
hash functions just the same, the former being simply a special case of the latter. 

The seven security notions from j2Hl are the standard three of collision resis- 
tance (Coll), preimage resistance (Pre), and second-preimage resistance (Sec), 
and the always- and everywhere-vaxmnts of (second-)preimage resistance (aPre, 
aSec, ePre, and eSec). The advantage of an adversary A in breaking H under secu- 
rity notion atk is given by Advj‘' r t,k (A) = Pr[Exp atk : M ± M' and H (K,M) = 
H {K,M')] if atk G {Coll, Sec [A] , eSec, aSec[A] }, and by Adv^ tk (A) = Pr[Exp atk : 
H (K,M') = Y] if atk G {Pre[A],ePre, aPre[A]}, where the experiments Exp atk 
are given below. 


atk 

Exp atk 

Coll 

K 4- JC ; (M, M') 4- A(K) 

Sec[A] 

K 4- JC ; M 4- {0, 1} A ; M’ 4- A (K, M) 

eSec 

(M,St) 4- A ; K 4- JC ; M' 4- A (K, St) 

aSec[A] 

(K, St) 4- A ; M 4- {0, 1} A ; M’ 4- A (M, St) 

Pre [A] 

K 4- 1C ; M {0, 1} A ; Y 4- H (K, M ) ; M' 4- A (K, Y) 

ePre 

(Y,St) <4 A ; K 4- /C ; M' 4- A (K, St) 

aPre[A] 

(K, St)^-A-,M^- {0, 1} A ; Y H(K, M) ; M' 4- A(T, St) 


We say that A is (t, e) atk-secure if no adversary running in time at most t has 
advantage more than e. When giving results in the random oracle model, we 
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will talk about (t, Qro, e) atk-secure schemes, where qro is the total number of 
queries that A makes to its random oracles. 

Note that the security notions above do not insist that the colliding message 
M' be of length A. It is our conscious choice to focus on arbitrary-length security 
here, meaning that adversaries may find collisions between messages of varying 
lengths. In practice, the whole purpose of hash iterations is to extend the domain 
of a compression function to arbitrary lengths, so it makes perfect sense to require 
that the hash function withstands attacks using messages of different lengths. 


3 Properties Preserved by Existing Constructions 

In this section we take a closer look at eleven hash iterations that previously 
appeared in the literature, and check which of the seven security properties 
from |2BI they preserve. The algorithms are described in Fig. |T] the results of 
our analysis are summarized in Table Q 

As mentioned in the previous section, we focus on arbitrary-length security 
in this paper. Allowing for arbitrary-length message attacks invariably seems 
to require some sort of message padding (unstrengthened MD does not pre- 
serve collision resistance), but care must be taken when deciding on the padding 
method: one method does not fit all. This was already observed by Bellare and 
Rogaway [Jj , who proposed an alternative form of strengthening where a final 
block containing the message length is appended and processed with a different 
key than the rest of the iteration. This works fine in theory, but since current 
compression functions are not keyed, it is not clear how this construction should 
be instantiated in practice. In absence of a practical generic solution, we chose 
to add standard one-zeroes padding and length strengthening to all chaining it- 
erations that were originally proposed without strengthening. For tree iterations 
we use one-zeroes padding for the message input at the leaves, and at the root 
make one extra call to the compression function on input the accumulated hash 
value concatenated with the message length. (Standard length strengthening at 
the leaves fails to preserve even collision resistance here.) These strengthening 
methods sometimes help but never harm for property preservation. 
Strengthened Merkle-Damgard. The Strengthened Merkle-Damgard 
(S9dD) construction is known to preserve collision resistance jTT] and to not 
preserve eSec security 0 In the following two theorems we prove that it also 
preserves ePre security, but does not preserve Sec, aSec, Pre, and aPre secu- 
rity. tf is the time required for an evaluation of F and £ = ["(A + 2 n)/b] where 
A = \M\. 

Theorem 1. 7/F is (t',e') ePr e-secure, then SMCDp is (£, e) ePr e- secure for e = 
(' and t = t' — £ ■ tf- 

Proof. Given an ePre-adversary A against SMD p, consider the following ePre- 
adversary B against F. B runs A to obtain the target value Y and outputs the 
same string Y. When it gets a random key K it runs A on the same key to obtain 
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Algorithm SM‘D F (K, M ): 
m i|| . . . || me <- ls-pad(M) ; h 0 «- TV 

For i = 1 . . .1 do hi 4- F(K, rrii\\hi—i) 

Return he 

Algorithm £«'f(A 1 || . . . || K e , M): 
mi|| . . . ||mr <- ls-pad(M) ; h 0 <- IV 

For i = 1, .... i do hi <- F(Ki,mi\\hi-i) 

Algorithm XLX f [K || K x || . . . || Ke , M ): 

mi || . . . \\m e <- ls-pad(M) ; h 0 <- IV 

For i = 1, ... ,i do 
ht «- F(K, 

Return he 

Algorithm SH f (K\\Ki || . . . ||Jfpi 0 g/i , M): 

mi || . . . ||m* <- ls-pad(M) ; h 0 <- W 

For i = 1, ... ,e do 
hi^F(K,rru\\(hi-i®K„ w )) 

Return he 

Algorithm ‘PfMD F {K, M): 
mi|| . . . ||m* <- pf-pad(M) ; ho <— TV 

For i l, ... ,1 do hi < F (K , rrii\\hi i) 

Algorithm TM'Df ( K . M): 
mi|| . . . \\m t <- emd-pad(M) ; h 0 <- IV i 

For i = 1 ... i — 1 do hi <- F(if, mi hi ,) 
Return he <- F(AT, /i*_i||m* ||IV 2 ) 

Algorithm MSV!FA f (K, M ): 

mi || . . . ||m< <- oz-pad(M, i ■ b) ; h 0 <- IV 
ctr <- 0 ; S S- {0, 1} S // S is a salt 

For i = 1 ... t - 1 do 

ctr ^ ctr + 6; hi _ F(K, ro< ||(<»|*i*|i^i) 
he^F{K,m t \\{\M\)\\S\\he-i) 

Return S, he 

Algorithm ||R, M): 

mi|| . . . ||mr <— sf-pad(M) 
h 0 «- F(AT,R||IV) 

For j = 1 ... £ do 
hi <— F(Jf, (m*®R)||hi_i) 

Return hi 

Algorithm SMI F (K, M): 

mi|| . . . ||mf <— tpad(M) 

For j = do 

hi,j ^ F(K,m u _i )a+1 \\ . . .\\m j a) i 

Zj «- F(A',’h i -i )( /-i) a +ii|'-’°l|hi-°ia) 

hd+1,1 ^F(Rr,h d ,i]I<|M|> n(a _i ) ) 

Return h d +i,i 

Algorithm ‘Z9 /'f(A'i || . . . \\K &+ 1 , M): 

mi|| . . . ||m^ <— tpad(M) 

For j = l,...,a d - 1 do 

-F(A 1 ,m (j _ 1)a+1 ||...||r ) 

For i = 2, . . . , d and j = 1, . . . , do 

- F(Ki, ^_ 1>(j ._ 1)a+1 II . . . \\hi-Ua) 
h d +i,i ^-F(K d+1 ,/i dfl ||(|M|> n(a _ 1) ) 
Return hd+i,! 

Algorithm xiMf(K\\Ki\\ . . . \\K d+1 , M): 
mi|| . . . ||mf <— tpad(M) 

For j = do 

hij <- F(K, (my_i )a+ i|| . . . Ilm^a) © Ki) 

hZ «- FfA-’fC-i.y-Da’+i II ’ a - \\hi-ija) © Ki) 
hd+1,1 - F (K, (h d ,i]|<|M|> n(a _ 1) ) ® K d+ 1) 

Padding algorithms: 
oz-pad(M,fc) = M||100 x_|m|_2 
ls-pad(M) = oz-pad (M, x) J rVf|> 6 
where a: = [(|M| + 2)/61 • 6 
emd-pad(M) = oz-pad(M, x)|| {|1W|>64 
where x = r(|AT| + 66)/6"| -6-64 
tpad(M) m oz-pad (M, x) 
where x = a^ga l«ll . n 


Fig. 1. Some existing iterative hash constructions. Chaining iterations SMD, UH., XL r J-[. 
SJl, ‘PjM'D, and 'ElM'D use a compression function F : {0, l} fe X {0, 1} 6+ ” — > {0, 1}”; 
'J-&IJA uses a compression function F : {0, l} fc x{0, i} b + I + s + n _» {o, 1}". Tree iterations 
55HT, “ZW, and XHH use a compression function F : {0, l} fc X {0, 1}“" — > {0, 1}". Strings 
IV, IV i, IV 2 £ {0, l} n are fixed initialization vectors. Padding algorithms are given on 
the bottom right; pf-pad(M) and sf-pad(M) are any prefix-free padding and suffix- 
free padding algorithms, respectively. The function v(i) is the largest integer j such 
that 2 j \ i. 

a preimage message M’ . Let rn\ || . . . \\m' e <— ls-pad(M') and let h' t _ 1 be the one- 
but-last chaining value computed in an execution of Algorithm 

B outputs m , e \\h , e _ 1 as its own preimage. 

While at first sight the above proof may seem to go through for Pre and aPre 
security as well, this is not the case. The target point Pina Pre attack on F is 
distributed as F(K,m\\h) for a random m\\h 4- {0, l} b+n . But the target point 
for the iterated structure SMD? is generated as M) for a random M <— 

{0, 1}\ These two distributions can actually be very different, as is illustrated 
by the following counterexample. 
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Theorem 2. For atk £ {Sec, aSec, Pre, aPre}, if there exists a (t,e) atk -secure 
compression function G : /C X {0, l} b+ " — > {0, 1}" _1 , then there exists a (f, e — 
1/2") atk-secure compression function CEi : K. X {0,1} 6+ " — > {0,1}" and an 
adversary A running in one time step with atk[X]-advantage one in breaking 
55H®cEi ■ 

Proof. For any compression function G, consider CEi given by 
CF 1 {K,m\\h) = IV if h = IV 

= G(K, m\\h) || IV M otherwise . 

If G is (t,e) atk secure, then CEi is (t, e — 1/2") atk secure; we refer to the 
full version P for the proof. From the construction of CEi, it is clear that 
SfMDcF,! (K, M) = IV for all M g {0, 1}*. Hence, the adversary can output any 
message M' as its (second) preimage. 

Linear Hash. The Linear Hash (LtH) P uses t different keys for i-block mes- 
sages, because it calls the compression function on a different key at every it- 
eration. The Linear Hash is known to preserve eSec-security for same-length 
messages, but Bellare and Rogaway claim P that length-strengthening does 
not suffice to preserve eSec for different-length messages. The following theorem 
confirms their claim, and also shows that LtH does not preserve Coll. The coun- 
terexample CEi of Theorem 0 can be used to disprove the preservation of Sec, 
aSec, Pre and aPre-security. A proof similar to that of Theorem 0 can be used 
to show that LH does preserve ePre-security. 

Theorem 3. For any atk £ {Coll, eSec}, if there exists a (t, e) atk-secure com- 
pression function G : {0,l} fc X {0,l} 6+n — > {0, l}" -2 , then there exists a (t, e) 
atk-secure compression function CE 2 : {0, l} fc X {0, 1} 6+ " — > {0, 1}" and an ad- 
versary A running in one step time with atk -advantage 1/4 in breaking LtH ce 2 - 

Proof. For any compression function G, consider CE 2 given by 
CE 2 (K,m\\h) =IV if m||/i=010 f '- 2 ||iy 

= 0"- 1 || W (n) if (AT« = 0 and m\\h = <l> b ||JV) 

or (K^ 1 ) = l and m\\h = (b + 1){,||IV) 
= G(K, m\\h) || 1 || IV {n) otherwise , 

In the full version P we prove that if G is (t. e) atk-secure for atk e {Coll, eSec}, 
then CE 2 is (t, e) atk-secure. When iterating CE 2 through LHqe 2 with indepen- 
dent keys A'iII^IIA's, one can easily see that if = 0 and = 1, then 
messsages M = 0 and M' = 010 6-1 both hash to 0" -1 ||IV^. Since in the 
Coll and eSec games this case happens with probability 1/4, we have attacks 
satisfying the claim in the theorem. 

XOR-Linear Hash. The XOR-Linear Hash (XLtt) P uses keys that consist 
of a compression function key K and £ masking keys K\. .... K(, £ {0, 1}". It 
is known to preserve eSec security P . It can also be seen to preserve Coll and 
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ePre by similar arguments as used for SMD and LtH. Counterexample CEi can 
be used to show that aSec and aPre are not preserved: the adversary gets to 
choose the key in these notions, so it can choose K\ = . . . = K( = 0 n so that 
XL'-H boils down to SMD. In the following we show that the XLH construction 
does not preserve Sec or Pre security either. 

Theorem 4. For any atk £ {Sec, Pre}, if there exists a (t, e) atk -secure com- 
pression function G : 1C x {0, 1} 6+ " — ► {0, l}" -1 , then there exists a (t,e+ 1 /2 6 ) 
atk-secure compression function CE3 : K. x {0, l} b+n — >• {0, 1}" and an adversary 
A running in one step time with atk[A] -advantage one in breaking XLtH ce 3 - 

Proof. For any A < 2 6 and compression function G, consider CE3 given by 

CE 3 (K,m\\h) = 0" ifm=(A} 6 

= G(K, m||h)||l otherwise . 

In the full version [T] we prove that if G is (t, e) Sec or Pre-secure, then CE3 
is (f, e + 1/2 6 ) Sec or Pre-secure. It is easy to see that, when iterated through 
AX^fcE 3 , the hash of any A- bit message is 0 n . A Pre [A] adversary can therefore 
simply output any M' £ {0, 1} A , a Sec[A] adversary can output any M' 7^ M £ 
{0,1}\ 

Shoup’s Hash. The iteration due to Shoup (SH) £21 is similar to the XOR- 
Linear hash but uses a different key scheduling that reduces the key length to 
logarithmic in the message length, rather than linear. Shoup’s hash is known 
to preserve eSec-security jSDj, and it can be shown to preserve Coll and ePre- 
security as well. The proofs are very similar to the case of SMD, and hence 
omitted. Counterexample CEi disproves preservation of aSec and aPre-security, 
and counterexample CE3 disproves preservation of Sec and Pre. 

Prefix-Free Merkle-Damgard. Bellare and Ristenpart showed 0 that the 
prefix-free Merkle-Damgard construction (! VfMD ) jO] does not preserve Coll secu- 
rity. The counterexample of 0 can also be used to show that it does not preserve 
eSec, and counterexample CEi can be used to disprove the preservation of Sec, 
aSec, Pre and aPre. Finally, using a proof similar to that for SMD. one can show 
that ePre-security is preserved. 

Another variant of DfMD by |0| prepends the message length encoding to the 
message in advance. The security results of this scheme easily follow from the 
ones for the SMD construction. 

Randomized Hash. The Randomized Hash (tRM) [EJ XORs each message block 
with a random value R £ {0, l} b . The construction was originally proved to 
be eSec secure by making stronger assumptions on the underlying compression 
function. Its pure security preservation characteristics (i.e., assuming only the 
eSec security of the compression function) were never studied. In our security 
analysis of treating the value R as either randomness per message or fixed 
long term key yields identical results with respect to seven property preservation. 

By arguments similar to the case of SMD, one can show that preserves Coll 
and ePre security, but none of the other notions are preserved. Counterexample 
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CEi can be used to contradict preservation of Sec, aSec, Pre, and ePre, and the 
counterexample of |Z| can be used to contradict preservation of eSec. 

HAIFA. While the newly proposed HAsh Iterative FrAmework jB| does 

preclude a number of specific attacks [1211 511 4| to which SMD admits, they per- 
form exactly the same in terms of preservation of our security notions. Similar 
proofs as for SOvf'D can be used to show that tHAIfA preserves Coll and ePre- 
security, counterexample CEi can be used to contradict the preservation of Sec, 
aSec, Pre, and aPre, and the counterexample of 0 applies to contradict preser- 
vation of eSec. 

Enveloped Merkle-Damgard. The enveloped Merkle-Damgard (‘EfM'D) con- 
struction 0 is known to preserve collision resistance, pseudo-random-oracle, and 
pseudo-random function behavior. For the seven security notions that we con- 
sider, however, it does not perform better than SM'D. Counterexample CEi of 
Theorem 0 can be used (setting IV = IV 2) to show that neither of Sec, aSec, 
Pre, or aPre are preserved. An adaptation of the counterexample of [Z| shows 
that eSec is not preserved either. Preservation of ePre on the other hand can be 
proved in a similar way as done in Theorem Q 

Strengthened Merkle Tree. We consider here the strengthened Merkle 
tree j2D|, the Tree Hash [ZJ, and the XOR Tree Hash |ZJ. For conciseness we do not 
cover other tree iterations that have appeared in the literature (e.g. [1 7I29[ ). The 
Merkle tree m in its most basic form (i.e., without length strengthening) suffers 
from a similar anomaly as basic Merkle-Damgard in that it does not preserve Coll 
for arbitrary-length messages. We therefore consider the strengthened variant 
SMI here, depicted in Fig. Q] We believe SMI is commonly known to preserve 
Coll, but we reprove this in the full version |2| for completeness. The notion of 
ePre is easily seen to be preserved as well. It can be seen not to preserve eSec 
by a counterexample similar to that of [Zj given in the full version j2J . SMI also 
fails to preserve Sec, aSec, Pre, and aPre however, as shown in the following 
theorem. 

Theorem 5. For any atk e {Sec, aSec, Pre, aPre}, if there exists a (t',e’) atk- 
secure compression function G : K. x {0, 1}“" — ► {0, l}” -2 , then there exists a 
(t,e) atk -secure compression function CE4 : K, x {0,1}“" — > {0,1}” for e = 
P + l/2 n_1 ; t = t', and an adversary A running in one step time with atk[A] 
advantage 1 in breaking SMT ce 4 ■ 

Proof. For any compression function G, consider CE4 given by 

CE 4 (A, mi|| . . . \\m a ) = 0” if m a = 0" 

= 1" if m Q _i = 0” and m a ^ 0” 

= G(A, mi|| . . . ||m 0 ) || 10 otherwise . 

We prove in the full version PJ that the bounds mentioned above hold for the 
atk security of CE4. It is easy to see that, due to the one-zeroes padding to a d 
bits, any message of length a d ~ 1 1 < A < a d 1 hashes to 1", leading to trivial 

constant-time attacks for any such length A. 
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Tree Hash. The unstrengthened Tree Hash (‘ TH ) was proposed in jjj for same- 
length messages; we consider the strengthened variant here. It is a variant of SMT 
where at each level i of the tree the compression functions use an independent key 
Ki. It can be seen to preserve ePre for the same reasons as the SMT construction. 
Our counterexample CE4 can be used to exhibit the non-preservation of Sec, 
aSec, Pre and aPre security. The case of Coll and eSec are a bit more subtle, 
but the counterexample below shows that <&{ does not preserve these either. 
Theorem 6. For any atk € {Coll, eSec} , if there exists a (t 1 . e') atk -secure com- 
pression function G : {0, l} fc x {0,1}“” — ► {0,1}" -1 , then there exists a (t, e) 
atk- secure compression function CE5 : {0, l} k x {0, l} on — > {0, 1}" for e = e' , 
t = t' , such that there exists an eSec -adversary breaking the eSec security of 
< ^ce 5 in constant time with advantage 1/4. 


Proof. For any compression function G, consider CE5 given by 


CE 5 (K, M) = 10"“ 1 if M = (10"- 1 ) 0 

= 1" if (ifM = 0 and M = (10 n_1 ) a_1 ||((a — l)n)„) 

or (ifW = 1 and M = (10" -1 ) a-1 ||((a 2 — l)n) n ) 
= 0 || G(K,M) otherwise . 


(1) 

We prove in the full version [2| that CE5 is (t, e) atk-secure whenever G is (t, e) 
atk-secure, for atk e {Coll, eSec}. 

Let M = (10" _1 ) a_1 and M' = (10" _1 )° 2_1 . Note that tpad(M) = (10” -1 ) a 
and tpad(M') = (10" -1 ) a , where tpad is the tree padding algorithm of Fig. 0 
If '2 Wce 5 is instantiated with keys K\ ||/\2||!t.3 such that K ( .p = 0 and K^p = 1, 
then one can verify that r FHc^{Ki\\K 2 \\K i ,M') = HKce 5 {K\\\K 2 \\K 3 , M) = 
1". Hence, the adversary that outputs M and M' as colliding message pair has 
advantage 1/4 in winning the Coll and eSec games. 


XOR Tree. The unstrengthened XOR Tree (xnM) was proposed in [Zj for fixed- 
length messages; we consider the strengthened variant here. It is again a variant 
of the Merkle tree, where the inputs to the compression functions on level i are 
XORed with a key K t e {0, 1}“". As for all other iterations, it is straightforward 
to see that JCItrf preserves ePre; we omit the proof. Quite remarkably, the masking 
of the entire input to the compression function makes it the only iteration in 
the literature that preserves Pre, while at the same time it seems to stand in 
the way of even proving preservation of Coll. It does not preserve aSec or aPre 
because the adversary can choose Ki = 0°” and apply counterexample CE4. We 
were unable to come up with either proof or counterexample for Coll, Sec, and 
eSec, leaving these as an open question. The proof of preservation of Pre is given 
in the full version 0. 


4 The ROX Construction 

We are now ready to present in detail our Random-Oracle-XOR (ROX) construc- 
tion. Let F : {0, l} fe X {0, lj b+n — ► {0, 1}" be a fixed-length compression function. 
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Fig. 2. The ROX Construction. The message is padded with bits generated by 
R02(RT, m, (A), (i)), where m are the first k bits of M. The last block must contain 
at least 2 n padding bits, otherwise an extra padding block is added. In the picture 
above, IV is the initialization vector, v{i) is the largest integer j such that 2 J |i, and 
the masks Hi <— ROi(A, m, ( i )). 

Let 2 l be the maximum message length in bits; typically one would use k = 80 
and l = 64. The construction uses two random oracles ROi : {0, l} fc X {0, l} k X 
{0, l}n°gd _> {0, 1}" and R0 2 : {0, l} k X {0, 1}' x {0, l}^ 6 ! -► {0, l} 2n . These 
random oracles can be built from a single one by adding an extra bit to the input 
that distinguishes calls to ROi and R0 2 . Our construction can be thought of as 
a variant of Shoup’s hash, but with the masks being generated by ROi and the 
padding being generated by R0 2 . More precisely, on input a message M, our 
padding function rox-pad outputs a sequence of 6-bit message blocks 

m 1 ||...|K = M||R0 2 (m,(A),(l}) || R0 2 (m, (A), <2» || 

where m are the first k bits of M and A = \M\. The padding adds a number 
of bits generated by R0 2 such that the final block me contains at least 2 n 
bits generated by R0 2 , possibly resulting in an extra block consisting solely 
of padding. It is worth noting though that we do not have a separate length 
strengthening block. We assume that A > k because aPre security, and therefore 
seven-property-preservation as a whole, do not make sense for short messages. 
Indeed, the adversary can always exhaustively try the entire message space. To 
hash shorter messages, one should add a random salt to the message. 

Let v(i) be the largest integer j such that 2 J divides i, let IV G {0, 1}" 
be an initialization vector, and let m be the first k bits of the message M. 
Our construction is described in pseudocode below; a graphical representation 
is given in Fig. |21 

Algorithm APT ROl:R ° 2 ( K , M): 

mi|| . . . || me <— rox-pad R ° 2 (M ) ; ho <— IV 
For i = 0, . . . , [bgaCQJ do Mi <- ROi(if, m, (i» 

For * = 1 . . . £ do gi *— hi-i ® /iy(i) ; hi <— F(if, mi\\gi ) 

Return he ■ 

We want to stress that that the ROX construction does not require that the 
compression function accept an additional input that might be influenced by the 
attacker (such as a salt or a counter). We see this as an important advantage, 
since imposing additional requirements on the compression function may make 
compression functions even harder to design or less efficient. 
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It is quite standard in cryptography for new primitives to first find instantia- 
tions in the random oracle model, only much later to be replaced with construc- 
tions in the standard model. It is interesting to see how the random oracles in the 
ROX construction can be instantiated if one were to implement it in practice. 
For an 80-bit security level, our results suggest that we should take k = 80 and 
n = 160. This means that we need a random oracle that reduces about 170 bits 
to 160 bits. A first suggestion might be to re-use the compression function with, 
say, three times as many rounds as normal, and with some different values of the 
constants. This approach violates good cryptographic hygiene, however, by hav- 
ing the design of the random oracle depend on that of the surrounding scheme. 
Perhaps a better solution would be to use one or more calls to a blockcipher like 
AES that was designed independently of the compression function. 

5 Properties Preserved by the ROX Construction 

The following theorem states that the ROX construction preserves all seven 
security properties that we consider here. We give a proof sketch for the preser- 
vation of Coll and a full proof for aSec below; the other proofs can be found in 
the full version j2|. We only note that the proofs for Sec, aSec and eSec are in 
the programmable random oracle model j2H|; that for the case of Pre and aPre 
non-programmable random oracles suffice; and that Coll and ePre are preserved 
in the standard model. 

Theorem 7. For atk € {Coll, Sec, eSec, aSec, Pre, ePre, aPre}, if the compres- 
sion function F : {0,l} fc X {0, 1} 6+ ” — > {0,1}” is atk -secure, then the 

iterated function r J(pX F is (t, Qro, e) atk -secure in the random oracle for 



t = t' — 21 ■ tf for atk = Coll (2) 

t = t' -21- tf for atk = Sec (3) 

t = t' — 2t ■ tf for atk = eSec (4) 

t = t' — 2i ■ tf for atk = aSec (5) 

t = t' — £-tf for atk e {Pre, ePre} (6) 

t = t' — t-Tp for atk = aPre (7) 


&.Q , gRO 

O k ' o2n ’ 

gRO | 4o 

2 k 2 2 n ’ 


1 


Here, tf is the time required for an evaluation of F and l = {(A + 2 n)/b] where 
X=\M\. 


We repeat that above we do not model the compression function as a random 
oracle, but it is worth considering what the equations tell us if we do. Assum- 
ing for simplicity that tf = 1, we know that a collision adversary running in 
t' = 2”/ 2 steps has probability about 1/2 to find collisions in F, due to the 
birthday paradox, but only has probability e' = 2 - "/ 2 to find preimages or 
second preimages. Nevertheless, existing iterations cannot guarantee (second) 
preimage resistance against 2”/ 2 -time adversaries, because they merely inherit 
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their (second) preimage resistance by implication from collision resistance]! The 
ROX construction, on the other hand, can. Assuming that queries to R0 i,R 02 
take unit time and taking k = n, Equations imply that an ad- 

versary running in time t = 2”/ 2 — 2£ ps 2"/ 2 steps has probability at most 
e = £ ■ 2 - "/ 2 + 2”/ 2-fc + 2~ n « (£ + 1) ■ 2 - "/ 2 to find second preimages, and has 
probability at most i. = 2 - ”/ 2 + 2"/ 2- ” » 2 _n / 2+1 to find preimages. 

Proof (Equation 0 (Sketch)). If M,M' is a pair of colliding messages, then 
consider the two chains of compression function calls in the computation of 
'J{pX F ( K, M) = 1{pX v {K, M'). If the inputs to the final call to F are different for 
M and M ', then these inputs form a collision on F and we’re done. If they are 
the same, then remember that at least 2 n bits of these inputs are the output of 
RC> 2 (m, (A), (i)) and RC^m', (A'), (j)). respectively. If these are different queries 
to RO 2 , yet their outputs are the same, then the adversary must have found a 
collision on RO 2 ; the odds of it doing so are bounded by q( lo /2 2n . If these queries 
are the same, however, then we have that m = m' and A = A', and therefore that 
the masks in both chains /i* = \J i = ROi(A, m, (i) ). Identical chaining inputs to 
A th call to F must therefore be caused by identical outputs of the (£ — l)-st call 
to F. If the inputs to the (£ — l)-st call are different then we have a collision on 
F here, otherwise we repeat the argument to the (£ — 2)-nd call, and so on. A 
collision on F will be found unless M = M'. We refer to the full version |2j for 
a more detailed proof. 

Proof (Equation 0). Given an aSec[A] adversary A against ‘ROX? for any A G N, 
we will construct an aSec adversary B against F. The overall strategy will be 
that B “embeds” his own challenge message at a random point in the chain, and 
hopes that A’s output yields a second preimage at exactly the point in the chain 
where B has embedded his challenge. 

Algorithm B runs A to obtain a key K G {0, l} fc , responding to its random 
oracle queries by maintaining associative arrays Ti[-], T 2 [-]. B outputs the same 
key K and is then given as input a random challenge message m\\g G {0, \ } b+Tl . 
It chooses a random index i* <— {1, ...,£= [~(A + 2 n ) /&]}. We first explain how 
B can construct a message M of length A so that to*. = m in mi || . . . \\me «— 
rox-pad R ° 2 (M); the rest of the message blocks are randomly generated. After 
that, we will show how g can be embedded into the chain such that g j. = g. If 
f s 1 then B sets m to the first k bits of to, otherwise it chooses m <— {0, l} k 
and sets the first k bits of M to m. We distinguish between Type-I message 
blocks that only contain bits of M, Type-II message blocks of which the first 
A b = (A mod b) bits are the last A f, bits of M and the remaining bits are generated 
by RO 2 , and Type-III message blocks that consist entirely of bits generated by 
RO 2 . Embedding m in a Type-I message block can simply be done by setting b 

2 For the Prefix-free MD |*|| and EMD 0 iterations this is a bit paradoxical, because 
they were designed to preserve “random oracle behavior” . Surely, (second) preimage 
resistance should fall under any reasonable definition of “random oracle behavior”? 
The caveat here is that the proof |3| Theorem 5.2] bounds the distinguishing prob- 
ability to 0 ((/ro / 2 n ), so that the theorem statement becomes moot for quo = 2"/ 2 . 
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bits of M to m starting at bit position (i* — 1)6 + 1. To embed m in a Type- 
II message block, B sets the last A 6 bits of M to the first A;, bits of m, and 
programs the first (6 — A b) bits of T 2 [m, (A) , (1)] || T 2 [m, (A) , (2)] || ... to be the 
last ( b — A b) bits of m. For Type-Ill blocks, B chooses M completely at random 
and sets b bits of T 2 [tn, (A), (1)] || T 2 [m, (A), (2)] || ... to m, starting at the 
(b — Xb + l)-st bit position. Bits of M and T 2 [tn, •] that are still undefined are 
chosen at random. If any of these table entries were already defined during A’s 
first run, then B aborts. Notice however that A’s view during the first run is 
independent of m, so its probability of making such a query is at most q , Ro/2 fe . 

To enforce that Qi* = g in the computation of 'J{pXy 0l ' R02 (K, M), algo- 
rithm B runs the reconstruction algorithm of j.'K )I2M| that, given message blocks 
mi, ... , nii * and chaining value <?*», outputs random mask values /xo, ■ • ■ , At such 
that the chaining input to the i*-th compression function call is * . B’s goal is 
to program these masks into ROi by setting T-i [K, m, (i)} <— for 0 < i < t, 
such that it is possible to check that the value for obtained during the hash 
computation is indeed g. However, if any of the hash table entries T-i [K, m, (*}] 
for 0 < i < t has already been defined, then B aborts. This can only occur when 
A asked a query ROi(AT, m, (*)) during its first phase, but again, the probability 
of it doing so is at most qRo/2 k because its view is independent of m. 

Algorithm B then runs A again on input target message M, responding to 
its random oracle queries as before, until it outputs a second preimage M' . Let 
mo|| • • • \\rrifi <— rox-pad R ° 2 (M / ) be the parsed messages. For the same argu- 
ments as in the proof of Equation (j2J) above, there must exist an index I > 0 
such that hi = h'j but rrij\\gi ^ m'j \ \ g' r , unless A found a collision in the random 
oracle R0 2 . If i* = I, then B outputs m'jWg'j. 

B wins the game whenever A does and i* = J, unless A succeeded in causing 
a collision in R0 2 or any of the values that are programmed in ROi, R0 2 were 
already queried. Let Ei be the event that at least one of the preprogrammed 
values is queried by A on a different input and E 2 be the event that A manages 
to find at least one collision in R0 2 . Let abort be the event that B aborts, then 

Pr [ ABORT ] = Pr [ Ei ] + Pr [ E 2 : ET] < Pr [Ei ] + Pr [E 2 ]. 

Since B perfectly simulates A’s environment, the advantage of B is given by 


e' > Pr [ A wins A 



i* = I : ABORT ] • Pr [ ABORT ] 



The running time of B is that of A plus at most 2 1 evaluations of F. Equation (0 
follows. 


Possible Tweaks. The scheme can be simplified not all seven properties need 
to be preserved. For example, if the key K is dropped from the input to ROi, 
the ‘ROX construction fails to preserve eSec and ePre, but still preserves all other 
notions. Dropping the message bits m from the input of either ROi or R0 2 
destroys the preservation of aSec and aPre, but leaves the preservation of other 
notions unharmed. 
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Abstract. Recent collision-finding attacks against hash functions such 
as MD5 and SHA-1 motivate the use of provably collision-resistant (CR) 
functions in their place. Finding a collision in a provably CR func- 
tion implies the ability to solve some hard problem (e.g., factoring). 
Unfortunately, existing provably CR functions make poor replacements 
for hash functions as they fail to deliver behaviors demanded by prac- 
tical use. In particular, they are easily distinguished from a random 
oracle. We initiate an investigation into building hash functions from 
provably CR functions. As a method for achieving this, we present the 
Mix-Compress-Mix (MCM) construction; it envelopes any provably CR 
function H (with suitable regularity properties) between two injective 
“mixing” stages. The MCM construction simultaneously enjoys (1) prov- 
able collision-resistance in the standard model, and (2) indifferentiability 
from a monolithic random oracle when the mixing stages themselves are 
indifferentiable from a random oracle that observes injectivity. We in- 
stantiate our new design approach by specifying a blockcipher-based 
construction that appropriately realizes the mixing stages. 

1 Introduction 

Background. SHA-1, a Merkle-Damgard style [241 II bj iterated function, is 
provably collision resistant under the assumption that its underlying compres- 
sion function is collision resistant. But the recent collision-finding attacks against 
SHA-1 (and related hash functions) [371 13%| have made clear the point that as- 
sumptions of collision resistance are often unfounded in practice. 

Rather than assuming collision resistance outright, several works [T21 1221 12H1 
EHE! build functions for which the guarantee of collision resistance rests, in a 
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provable way, on the hardness of some well-studied computational problem. As a 
simple example, consider the function H(m) = x rn mod n where x is some fixed 
base and n is a (supposedly) hard-to-factor composite (23031 ■ This function is 
(what we shall call) provably CR since there exists a formal reduction showing 
that the ability to find collisions in H implies the ability to efficiently factor n. 

But such a collision-resistant function is not a hash function, at least not 
when one attempts to define a hash function by its myriad uses in practice 1 . For 
example, hash functions are frequently used as a way to compress and ‘mix-up’ 
strings of bits in an ‘unpredictable’ way; here it seems clear that the intent is for 
the hash function to mimic a random oracle, a publicly available random function 
with a large domain. Unfortunately, the provably CR function H is a poor real- 
world instantiation of a random oracle. Note, for example, that H(2m) = H(m) 2 
(mod n), which would be true with exceedingly small probability if H were 
instead a random oracle. The very structure that gives H and other provably CR 
functions their collision-resistance thus renders them useless for many practical 
applications of hash functions OHS! • 

On the other hand, recent results fTTUCTTT] offer constructions that ‘behave’ as 
random oracles (and are called pseudorandom oracles, or PROs) when the under- 
lying primitives are themselves idealized objects, like fixed-input length random 
oracles or ideal ciphers. In theory then, a PRO is a secure hash functions in a 
very broad sense. But the security guarantees offered by a PRO only hold in an 
idealized model. When one steps outside of the ideal model in which the security 
proofs take place, the actual security guarantees are much less clear. As an ex- 
ample, Bellare and Ristenpart (2j have pointed out that the PRO constructions 
from uni fail to be collision resistant when the underlying compression function 
is only assumed to be CR (rather than being a fixed- input-length random oracle). 
This paper. We begin an investigation into methods for building functions 
that are both provably CR in the standard model and provably pseudorandom 
oracles in idealized models. In particular, we offer a generic construction that 
we call Mix-Compress-Mix, or MCM; See Figure 0 Essentially MCM is a way to 
encapsulate a provably CR function in such a way that the resulting object is 
a PRO when the encapsulation steps behave ideally, and yet remains provably 
collision resistant in the standard model (i.e., when the encapsulation steps are 
only complexity theoretic objects). 

The construction is simple: first apply an injective “mixing” step £\ to the 
input message, then compress the result using a provably CR function H, and 
finally apply a second injective “mixing” step £2 to produce the output. Here H 
and £\ can accept variable-input-lengths. Note that since MCM is building a 
hash function, the mixing steps £\ and £2 are necessarily deterministic and 
publically computable functions. By demanding that they also be injective, we 
have immediately that collisions against MCM imply collisions against H. We 
stress that no cryptographic assumptions about the mixing steps are needed to 
prove collision resistance of MCM. 

1 This viewpoint is not ours alone. One of the designers of VSH 112 . Arjen Lenstra, 

once publicly stated “VSH is not a hash function.” 
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Fig. 1. The MCM construction: H is a collision resistant hash function, and £1 , £2 are 
mixing functions. All three components of MCM must be deterministic and publically 
computable. 


At the same time, MCM behaves like a random oracle when £\ , £2 are PROs, 
and the CR hash function is close to regular (i.e., the preimage set of any par- 
ticular output isn’t too large). In fact, we will actually construct £1,82 to be 
pseudorandom injective oracles, or PRIOs; we’ll say more about these in a mo- 
ment. To make precise our use of the word “behaves” above, we use the indif- 
ferentiability framework of Maurer et al. 123 ! We’ll prove that MCM is indiffer- 
entiable from a monolithic random oracle when the mixing steps £\ and £2 are 
indifferentiable from random oracles (that observe injectivity). While the formal 
results are quite technical, the practical intuition behind the security of MCM is 
straightforward: the mixing steps obfuscate input-output relationships of the un- 
derlying compressing step. Recall our provably CR example H (m) = x rn mod n 
and the associated attack that distinguished it from a random oracle. Adapting 
that attack for use against H(M ) = &2(H (£i(M) j) requires that the adversary 
determine non- trivial input-output relationships across both £\ and £2, too. 

One might be tempted to think a construction even simpler than MCM meets 
our goals. In Section 0 we discuss natural simplifications of MCM (e.g., drop- 
ping £-[ or lifting our stringent injectivity requirements), showing that these fall 
short in one way or another. Moreover, we review in more detail why existing 
approaches for building hash functions also fail. 

Although we have just described MCM in the variable-input-length setting, we 
note that it also works for building a dual- property compression function (i.e., a 
fixed-input-length function) from any CR compression function. The result could 
be then be used inside a multi-property-preserving domain extension transform 
such as EMD j5| . 

A NEW approach TO HASH FUNCTION DESIGN. By generically composing 
appropriate mixing and compressing stages, MCM allows the following separa- 
tion of design tasks. First, design a function with strong guarantees of collision- 
resistance, inducing whatever structure is necessary. Second, design an injective 
function that destroys any structure present in its input. This approach is a sig- 
nificant departure from traditional hash function designs, in which one typically 
constructs a compression function that must necessarily (and simultaneously) be 
secure in various ways. With MCM, we instead build a hash function by designing 
components to achieve specific security goals. The benefits of such specialized 
components are immediate: MCM allows building a single hash function that has 
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very strong CR guarantees while simultaneously being suitable for instantiating 
a random oracle. 

Secure mixing steps. Remaining is the question of how to build mixing steps 
sufficient for the goals of MCM. As we’ve said, we require the mixing steps to be 
both injective and indifferentiable from a random oracle that observes injectivity. 
At first glance these requirements might seem overly burdensome. Can’t the re- 
quirement simply be for the mixing steps to realize pseudorandom oracles, which 
we already know (via [E3[n][2|) how to build? No: while a PRO would satisfy 
the second constraint, albiet with some additive birthday-bound loss in concrete 
security, it would not at the same time suffice for MCM’s crucial standard- 
model CR guarantee. This is because a PRO provides no guarantees of collision- 
resistance outside of an idealized model. In fact, simultaneously satisfying both 
requirements, injectivity and indifferentiability, is technically challenging. 

To our knowledge, building a PRIO has never been considered before. Dodis 
and Puniya fTTHTH] consider a similar goal, that of building random permutations 
from random functions, but these are invertible by construction, whereas PRIOs 
are not. Moreover, their proofs of security only hold for honest-but-curious ad- 
versaries. We therefore present the Tag-and-Encipher (TE) construction for re- 
alizing a PRIO (see Section 0)- It is a blockcipher mode of operation (which 
also employs a single trapdoor one-way permutation call) that is injective by 
construction. In the ideal cipher model and under the assumption of trusted 
setup of the trapdoor permutation, the TE construction is indifferentiable from 
an injective random oracle. While not particularly efficient, we view the TE con- 
struction as a proof-of-concept, and hope it fosters future efforts to build these 
novel primitives. 

Notes on indifferentiability and composability. In order to accomplish 
our task of building a hash function with both strong standard model and ideal 
model guarantees, we exercise the indifferentiability framework in novel ways. 
First, both MCM and TE are a combination of complexity-theoretic objects (the 
CR function H and the trapdoor permutation) and information-theoretic ob- 
jects (the idealized components). Previous indifferentiability results have been 
solely information-theoretic. Second, our model allows the simulator to choose 
the trapdoor permutation utilized in TE. These two facts imply limitations on 
the generic composability of our schemes. Composability refers to the guarantee 
that any cryptographic scheme proven secure using an ideal object remains se- 
cure when this object is replaced by a construction that is indifferentiable from 
it. In practice the limited composability of our constructions means that they 
might not be suitable for all applications of random (injective) oracles. We dis- 
cuss this matter in more detail, and pose some interesting open questions raised 
by it, in Section 0 

2 Preliminaries 

Basics. Let X, Y € (0, 1}*. We denote the concatenation of X and Y by X || Y 
or simply XY. The i th bit of X is X[i\ and so X = X[1]X[2] • • -X[|X|]. We 
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write X\ n (resp. X \ n ) to represent the substring consisting of the last (resp. 
first) n bits of X for any n < X|. For a set S we often write S ■¥- x, which 
means S *- S U {a;}. We define Time/(/x) as the worst-case time to compute / 
on a message of length at most fi. 

Following (HUE! we utihze Interactive Turing Machines (ITM) for our com- 
putational model. Cryptographic primitives, schemes, and adversaries are all 
interactive Turing machines. 

Random functions and injections. Let Dom and Rng be sets. Recall that 
a function /: Dom — *■ Rng is injective if f(X) = f(X') implies that X = X' . 
(Necessarily for an injection \Dom\ < \Rng\.) For simplicity, we only consider 
injections with constant stretch r. Particularly if X £ Dom then \f(X)\ = 
|X| + t. The following algorithms implement a random function and a random 
injection. 


Algorithm R\ Dorn.RngiX)-. 

*<-\X\ +r 

If I[X]^± then Ret I[X] 

l[X]4-{0,l}<\ft< 

K e £- I[X] 

Ret I[X) 


Algorithm RF Dom,Rng(X): 

If K[X] ± T then Ret K[X] 
Ret R[X] 4- Rng 


The tables R and I are initially everywhere set to T and the set TZf, is initially 
empty for every l. We write / = RF Dom, Rng to signify that / is an ITM map- 
ping points from Dom to Rng according to the algorithm specified above. We 
write RFrf jr if Dom = {0, l} d and Rng = {0, l} r for some numbers d, r. We 
write X = Rl Dom, Rng for an ITM mapping points from Dom to Rng as per the 
algorithm specified above. (The other notational conventions lift to Rl in the ob- 
vious ways.) A random oracle is a random function that is publically accessible 
by all parties. Similarly an random (or ideal) injection is a publically-accessible 
random function that respects injectivity. 

Ideal ciphers. For integers k,n > 0, a blockcipher E: {0, l} fc x{0, 1}"— >{0, 1}" 
is a function for which E{K, ■) = Ek (- ) is a permutation for every K £ {0, l} k . 
The inverse of E is D and is defined such that D(K. Y) = M iff E(K, M) = Y. 
An ideal cipher is a blockcipher uniformly selected from BC (k,n), the space of 
all blockciphers with fc-bit keys and n-bit blocksize. In the ideal cipher model, 
both an ideal cipher E and its inverse are given to all parties as oracles. 
Security notions. Let f:JCx Dom—>Rng be a function family indexed by 
a non-empty key space /C. Then we define the collision-finding advantage of an 
adversary A against / as 

Adv c /(M) = Pr [ f K (X) = f K (X') : K 4 /C; (X, X') 4- A(K) ] 

where the probability is over the random choice of K and the random coins 
utilized by A. 

A function /: Dom— >{0, l}* 7 is regular if each image has an equal number of 
preimages. A function family /: /C x Dom— >{0, l} 77 is regular if Jk is regular for 
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each K £ 1C. Associated to a function family / is the set PrelmfA. 1. Y) that, for 
each K £ 1C, £ such that {0, l} e C Dom, and Y £ {0, l} 7 *, is the set of preimages 
(under K ) of Y that are of length l. That is, Prelm (K,£,Y) = {X : X £ 
Dom A |A| = £ A fx(X) = Y}. We also define the following function related 
to / 


8(K,i,Y) 


| Prelm (AT, i,Y) | -2^ 


The 6 function measures how much bigger (or smaller) a particular preimage set 
is than it would be if fx were regular. We define Ak = ma x{8(K,£, Y)}, where 
the maximum is taken over all choices of t and Y, and we say a function family 
/ is Z\-regular if 


T,keic A k 

|/C| 


< A. 


Intuitively, this measures on average (over keys) how far / is from regular. 

Let F be a trapdoor permutation generator: on input l fc it outputs a trapdoor 
permutation pair (/, / _1 ) where /: {0, l} fe — >{0, l} fc and f~ 1 (f(X)) = X. The 
one-way advantage of an adversary A against F for security parameter k is 
defined by 


Adv^V) = Pr f(X) = f(X') 


(ft f 1 ) F(l fe ); X 4- {0, l} fe ; j 
Y^f{X);X't-A(f,Y) \ 


The RSA and Rabin function families are conjectured to allow generation of 
secure trapdoor permutations jSIEHIEni ■ 

PROS AND PRIOs. The notion of indifferentiability is a generalization of 
conventional indistinguishability |X3| -] It facilitates reasoning about the ability of 
constructions to emulate some idealized functionality (e.g., a random oracle) in 
settings where the construction itself utilizes public, idealized components (e.g., 
an ideal cipher or fixed- input-length (FIL) random oracle). We follow the for- 
malization of indifferentiability from 1 1 HI 12] to define security for pseudorandom 
oracles and pseudorandom injective oracles. First, a simulator S = (S±, ■ ■ ■ ,Si) 
is an interactive Turing machine with l interfaces Si, ... .S/,. The interfaces share 
common state, i.e. all variables defined in one interface are available to all other 
interfaces. Let C be some cryptographic scheme utilizing primitives fu-. ■ ,fi 
and let Dom and Rng be non-empty sets. We define the pro and prio advantage 
of an adversary A against C with respect to simulator S as 

AdvP ro s (A) = Pr ^A cfl ’ "’ flJl ’- Jl ^ l] - Pr 

AdvP ri °(A) = Pr ^ pr 


where T = RF Dom, Rng and T = Rl Dom, Rng and the probabilities are over the 
random coins used by the appropriate objects. We emphasize that the simulator 
has oracle access to the idealized object (IF or 2"), but does not see the queries A 
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makes to it. In the case that the construction uses publically-keyed components 
(e.g., the key for a CR function), all three entities (C, S, A) have access to the 
key. We disallow A from making pointless queries, which in this setting means 
querying an oracle twice. 

Informally we call a cryptographic scheme C a pseudorandom oracle (PRO), 
or say it is indifferentiable from a random oracle, if there exists an “efficient” 
simulator against which all adversaries have “small” pro advantage. Likewise we 
call a cryptographic scheme C a pseudorandom injective oracle (PRIO) if there 
exists an “efficient” simulator against which all adversaries have “small” prio 
advantage. We do not formalize “efficient” or “small”, giving concrete running 
times and bounds, instead. 

We formalize trusted setup of a trapdoor permutation generator F via an in- 
teractive Turing machine TGen that behaves as follows. When called, it computes 
(/j/ _1 ) !F(l fc ) and returns /. Subsequent calls return the same /. Construc- 
tions that utilize a trapdoor permutation are given oracle access to TGen, for 
example in the pro and prio definitions /* = TGen for some i G [1 .. /]. We also 
allow the simulator to run the oracle corresponding to TGen. This means, in 
particular, that the simulator knows the trapdoor f~ l , while the adversary does 
not. See Section ©for a discussion of the repercussions of this modeling decision. 

3 The MCM Construction 

Fix numbers r] and r. Let H: 1C x Mh (0, 1} 7! be a function family with key 
space 1C and domain Mh = (0, 1}- L for some large number L (e.g., 2 64 ). Let 
£\: M — > M h be an injective function where M = (0, 1}- L for L' = L — t. 
For any X £ M we have that |£i(X)| = \X\ + r, hence r is the stretch of £\ . 
Finally let £ 2 '. (0, 1} J? — * {0, 1} T?+T be an injective function. Then we define the 
hash function hi = MCM[Ti, H. £ 2 ] with key space /C, domain M, and range 
(0, l} ri+T by Hk{M) = hi(K, M) = £- 2 {Hk(£i(M))). Overloading our notation, 
if X\ = Rl m,Mh an d ^2 = Rlr/, r/+T then we write hi = MCM[fZi,iJ,X 2 ] where 
now hi is itself an ITM using oracle access to T\ and I 2 to calculate Hk{M) = 
T 2 {H k [T x {M))). 

Here r is also the stretch of hi — it’s the number of bits beyond r/ needed 
to hold a hash value. Ideally r = 0, in which case £\ and £2 would be a per- 
mutations. We have the following theorem, which states that hi inherits the 
collision-resistance of H. 

Theorem 1. Fix rj > 0 and r > 0. Let H: 1C x Mh — ► (0, l} 17 be a func- 
tion and £\\ M — > Mh and £ 2 - (0, l} 17 — > (0,1} ?7+T be injections. Let hi = 
MCM[£i,H, £ 2 ] ■ Let A be an adversary that runs in time t and outputs messages 
each of length at most p. Then there exists an adversary B such that 

Adv£(.4) = Advg(B) 

where B runs in time £ <t + 2 (cp + Time^ (p)) for an absolute constant c. 
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Proof. Let B be the adversary that behaves as follows. On input key K It runs 
A(K), which eventually outputs (X, X'). Then B outputs (£i(X),£i(X')). We 
have that if Hk(X) = TCk(X') then because £\ and £2 are injections, necessarily 
H k {£\{X)) = Hpc(£i(X')). Adversary B runs in time t' < t + 2 (c/i + T\me£ 1 (/t)) 
where c is an absolute constant. 1 

We point out that similar theorems can be given for several other hash function 
properties, including target collision-resistance (TCR, or eSec), preimage resis- 
tance, and always preimage resistance (aPre) (UH 2 - The next theorem captures 
that MCM is a PRO if both £\ and £2 are modeled as random injections. 

Theorem 2 . Fix rj > 0 and r > 0 . Let H: K. x Mh —* { 0 , 1 } V be a A-regular 
function, 2 i = R\mMh> an d T2 = Rl^+r. Let H = MCM[li , H, X 2 ] . Let v be 
the minimal message length of hi. Let A be an adversary that runs in time t and 
making at most (#1,52,53) queries with the combined length of all queries being 
at most /i. Then there exists an adversary B such that 

Adv»™ s (A) < Advg(B) + (gl 2 +? )a + iqi + + q f + (51 + 52)53 + A) 

where the simulator S, specified below, runs in time ts < 0/1(51 + 5153) for some 
absolute constant c and makes at most min{52,53} oracle queries. Adversary B 
runs in time at most ts < t + ts + c'/i for some absolute constant d . 

The proof of this theorem is given in the full version of the paper m, though be- 
low we give a sketch highlighting the main aspects of the proof. First, we discuss 
the theorem statement. As long as £\ and £2 are PRIOs we can securely replace 
them by actual random injections (as per the composition theorem of |23j). Then, 
Theorem | 2 | states that no adversary can differentiate between a real random or- 
acle and the construction unless it is given sufficient time to break the collision- 
resistance of H or allowed to make approximately 2f r+mm f ^P/ 2 queries. Here v 
could in fact be small, since this is the minimal message length in the domain of 
our hash function (and we’d certainly want to include short messages). However, 
in practice, H will have some minimal message length vh (e.g., the blocksize of 
an underlying compression function) to which short messages would necessarily 
be padded anyway. Thus, hi can ‘aggressively’ pad short strings to a minimal 
length v = oh — r, recovering our security guarantee. 

Proof (Sketch). We first fix a simulator S = (1S1 , 1S2), which has access to 
the random oracle TZ. The first interface Si implements a random injection 
Ti = Rl m,Mh without ever using its access to TZ. The second interface works as 
described below (recall that it has access to all of the values defined for li): 


2 Although it is unclear how one would prove that MCM preserves the other notions 
from |33] , specifically everywhere preimage resistance (ePre) , second-preimage resis- 
tance (Sec) and always second-preimage resistance (aSec). 
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procedure 52 (T) 

If 3 M s.t. Y = H k (Ii{M )) then 
Ret ll(M) 

Ret C 4 - {0, 1 } V 

This interface checks if X\ already maps a string M to a preimage under Hk 
of the queried value Y. In the case that multiple such M exist, then the lexico- 
graphically first is used. If such an M exists, then the simulator queries 1Z on M 
and the output of 52 (V) is “programmed” to match this value. 

Now we argue that no adversary A, given K, can differentiate between or- 
acles (7i,l i,X 2 ) and (1Z. 5 ,52). Let 0 \ , 0 2 • Os be the oracles given to A. By 
the construction of the simulator, the adversary gains no advantage by querying 
messages in the order of the construction, i.e. a query X <— 0 2 {M) and then 
O 3 (Hk(X)). On the other hand, there do exist sequences of queries that can 
cause the simulator to fail (with high probability) to respond in a manner con- 
sistent with the responses of We argue that these “bad” sequences 

are hard for any adversary to generate. 

The first is if two messages M and M' are queried to 5i and the returned 
values are such that H k (Xi(M)) = H k (Xi(M’)) = Y . In this case the adversary 
can query Y to 52 and the simulator can at best guess whether to return TZ(M) 
or TZ(M') (which are distinct with high probability). But note that since X is 
an injection, this actually implies that A has found a collision against H K . This 
reflects the first term in the bound of the theorem statement. 

The second “bad” sequence occurs if A queries 52 (T), forcing the simulator to 
commit to a return value Z, and then later queries 5i (M) which returns a value X 
such that Hk(X) = Y. Since the probability is low that 1Z(M) = Z, there exists 
little chance that 5 answered the original query consistently. But the probabil- 
ity that 5i (M) returns Y is in fact the probability of choosing a random domain 
point X such that H K (X) = Y . Indeed the /^-regularity of H gives that this can 
only happen with low probability. This accounts for the last term in the bound. 

The remaining two unexplained terms correspond to birthday-bounds for mov- 
ing between random injections and random functions. For a complete proof see 
the full version of the paper m- 1 

4 Insecurity of Other Approaches 

Here we give just a brief investigation of several alternative approaches to MCM. 
In all cases, either the resulting object is not provably collision-resistant in the 
standard model or not provably a PRO in an ideal model. 

Using existing Blockcipher-based hash functions. Let E: {0, 1}" x 
{0, 1}" — > {0, 1}” be a blockcipher, modeled as ideal. Let / be a 2n-bit to n-bit 
compression function. Fix some suitable domain extension transform, for exam- 
ple Merkle-Damgard with a prefix-free encoding. That is 'H.(M) = /+(<?(M)), 
where / + (Mi • • • M m ) is equal to Y rn defined recursively by Yq = IV (some con- 
stant) and Yi = /(Yj_i, Mj), and g: {0, 1}*— >({0, 1}") + is a prefix-free padding 


156 T. Ristenpart and T. Shrimpton 


function. For simplicity let g(M) simply split M into blocks of n — 1 bits (M hav- 
ing been appropriately padded), and then appending a zero to each block except 
the last and appending a one to the last block. If / is one of the twenty group-1/2 
schemes from j^j, then TL is collision-resistant in the ideal cipher model. More- 
over, a recent paper by Chang et al. m shows that sixteen of these twenty yield 
a PRO H. 

However as soon as one leaves the ideal cipher model, H. is not provably CR. 
For example let E' be the blockcipher defined as follows: 



where, now, E is no longer ideal. Let = E'(M l , Yi_i)©yi_L. We can 

see that an adversary can trivially find collisions against Ti built using E' . This 
is true even though E' is a good pseudorandom permutation (the usual standard 
model security property of blockciphers) whenever E is also. 3 * 
Removing injectivity requirements. If either £ x or £ 2 are not injective, 
then the MCM construction looses its provable collision-resistance. Assuming 
they are built from using blockciphers (as we suggest), then one can, in spirit 
similar to the counter-example above, construct a collision resistant function H' 
and a good PRP E' that, when utilized in MCM, would lead to a trivial collisions. 

Note that one might imagine replacing £\ and £-i with objects that are not injec- 
tive, yet have some other standard model guarantees to ensure provable collision- 
resistance in MCM. Short of establishing their collision-resistance, its not clear 
what properties could achieve this goal. Additionally, this approach would seem 
to violate the separation of design tasks intrinsic to the MCM approach. 
Omitting £\ from MCM. If one omits the first “mixing” step £\ of MCM, then 
the construction no longer results in a PRO. This result is essentially equivalent 
to the Coron et al. insecurity result regarding the composition of a CR and one- 
way function H with a random oracle H3> but we state a version of it here for 
completeness. Let H = CM [//, T 2 ] be this modified construction for 1 2 = RI 7)j7)+t , 
i.e. 'H.(M) = T 2 (H(M)). Now we show that H is easily differentiable from a true 
random oracle 1Z = R^Mh-ji+t- Let A be an adversary that queries it’s first oracle 
on a uniformly selected message of length M G Mh of some length 1. Let the 
returned value be C. Now the adversary queries its second oracle (representing 
either 1 2 or a simulator) on H K {C). Let the returned value be C . If C = C’ then 
A returns one, guessing that it’s interacting with the construction. Otherwise it 
returns zero, guessing that it’s interacting with the true random oracle. We have 
that Pr j = l. On the other hand, Pr [ A' R ' , ‘ S =>1 ] is bounded by the 

advantage of a related adversary in breaking the one-wayness of H. 

Allowing £ 1,82 to be invertible. Our formalization of PRIOs ensure that 
constructions meeting the goal are not invertible. Thus, objects that are invert- 


3 Hopwood and Wagner noted (in postings on sci.crypt) that one could exhibit good 

PRPs that would make finding collisions in the twenty 0 functions trivial. 
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ible do not meet the goal. It remains an open question whether MCM is, in fact, 
secure under easy-to-invert mixing steps. 


5 Secure Mixing Steps: The TE Construction 

Pseudorandom injective oracles. We now turn to showing the feasibility of 
instantiating the mixing steps E\ and E 2 starting from blockciphers. We note that 
our eventual construction also works starting from a suitable fixed-input-length 
random oracle. This would have slight theoretical benefits because of a lack of 
implication between the ROM and ICM in, However, one might want to utilize 
blockciphers and the proofs are only rendered more complex when considering 
invertible components, thus we stick to the former. 

We specify a construction that is a PRIO, i.e. indifferentiable from a random 
injection. Under the composability guarantees of the indifferentiability frame- 
work j2Sj (though see Section 0. the security of schemes (e.g., MCM) proven 
secure while modeling components as ideal injections remains when these ob- 
jects are replaced by PRIOs. 

At first glance the notion of a PRIO might appear to be essentially equivalent 
to that of a pseudorandom oracle. The distinction is analogous to the difference 
between PRPs and PRFs. Indeed, random injections and random functions behave 
similarly up to a birthday-bound, which implies that any PRIO is a good PRO and 
vice versa. But the more important (and subtle) concern is that the closeness of the 
definitions might lead one to the conclusion that there are trivial constructions for 
our mixing steps, utilizing any PRO. However, this would be entirely insufficient 
for our application because, while a PRO appears injective with high probability, 
it is not necessarily injective by construction. Once we step outside of idealized 
models we would then have a standard model object that does not suffice for the 
collision-resistance guarantee of Sectional So for clarity of exposition and analysis, 
we found it useful to draw a distinction between the two objects. 

Building a PRIO that is injective by construction from a blockcipher (modeled 
as ideal) proves a challenging task. Our object must be publically computable, 
so no secret keys are allowed. A minimum intuitive security requirement for the 
object is that the outputs resulting from applying it to two messages that differ 
in a single bit must appear to have been chosen independently at random, even 
when adversaries have direct access to the underlying blockcipher. This rules 
out the straightforward use of existing blockcipher modes of operation, such as 
CBC, with a public key and fixed IV or even the more complex variable-length 
enciphering schemes (e.g. j'il QKOirmUTH] '). 

The TE construction. Our construction utilizes two blockciphers and a 
trapdoor one-way permutation. Note that in the ideal cipher model one can eas- 
ily derive two ciphers from a single cipher E at the cost of one bit of keying 
material: E(K,M) = E{1 || K,M ) and E'(K,M) = E(0 || K,M). For sim- 
plicity then we assume access to two ciphers E: {0, l} k X {0, 1}"— >{0, 1}" and 
E': {0, l} k X {0, 1 } n — > { 0 , 1}”. The cipher E will be used in a blockcipher mode 
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Algorithm £(M): 

Algorithm E(M): 

T e- T (M) 

M x M 2 ■ ■ ■ Mi A PadPF(M) 

M\Mi 

X 0 «- IV1 

For i = 1 to m do 

For i = 1 to l do 


X i <-E , (M i ,X i - 1 )®X i - 1 

Yo - f(T) 

Ret VollH II ••• || V m 

Ret Xi 


1 


£-£e}-© 2 -£e}»© 

T 

r 2 y 3 



Fig. 2. (Left) Algorithm £ = TE [E,E, /] and the description of function T . (Right) A 
diagram of £ applied to a message M for which \M\ = 3 n. 


much like CTR mode encryption. The cipher E' will be utilized to build a func- 
tion T for generating tags that will be (with high probability) unique to each 
input message. A message’s tag then serves as the key for the CTR-mode-like en- 
ciphering step. In fact our function T will realize a blockcipher-based construc- 
tion of a pseudorandom oracle, originally suggested in m and proven secure 
in m Finally, a trapdoor one-way permutation / is applied to the tag value, 
the result being the first portion of the output. This step ensures the injectivity 
of the construction, while the one-wayness “hides” the tag. We will require the 
trapdoor property in the proof. 

Formally, we define the injection £ = TE [E,E,f] by the algorithms in 
Figure |21 The padding function PadPF: {0, 1}*— ►({(), 1}") + is any prefix-free 
encoding function: for any two messages M,M' G {0,1}* with \M\ / \M ' | the 
string PadPF(M) is not a prefix of PadPF(M'). (Such functions are simple, one 
example is to unambiguously pad M to sequence of n — 1 bit blocks. Then ap- 
pend a zero to all the blocks except the last, to which a one is appended.) The 
domain of £ is M. = {0, 1}- L where V = n- 2 128 . It maps a string X to a string 
of length \X\ + k. 
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The security of TE. To analyze the security of TE, we start by treating 
the function T as a random oracle. This is justified by the proof that T is a 
PRO, found in HU, and the composability guarantees of the indifferentiability 
framework established in | 23 J • Thus from now on T = RF M,n- We overload our 
notation to define TE in terms of idealized components. Let E be an ideal cipher, 
i.e. E <— BC (k,ri), let T = RF^ ira , and let TGen be the trusted setup oracle 
described in Section □ Now let £ = TE[£,.F,TGen] be the ITM that follows 
Algorithm £ of Figure |21 except it utilizes TGen to get / initially and queries E 
and T oracles where appropriate. The next theorem captures the main result of 
this section. 

Theorem 3. Let E: {0, l} fc x {0, 1}" — + {0, 1}" be an ideal cipher, T — RF^qfc, 
and TGen be the oracle described above. Let £ = TE[E,iF, TGen]. Let A be an 
adversary that asks at most (qi,q2, 93, 94, 1) oracle queries, each of length at most 
p bits, and runs in time at most t. Then there exists an adversary C such that 

Advgvi < „Advr'P) + l + 

where a = \p/n] and S, the simulator defined in Figured runs in time at most 
ts < c(/x+929 4 ) for some absolute constant c and makes qs = 94 queries. Adver- 
sary C runs in time t' < t+t,s + (92 + 94 )Time/ + (<7i + < 72 + 94 ) log( 9 i+ 92 + 9 4 ) + c'p 
for some absolute constant d . 1 

A proof of the theorem is provided in the full version of the paper EU. here 
we just provide a brief proof sketch. An adversary is given either the oracles 
(£,E, D,F, TGen) or the oracles (I, Se,Sd, S r, ^TGen)- Recall that D is the 
oracle implementing the inverse of E. Intuitively the structure of TE ensures 
that an adversary, attempting to discover information about the tag and via it 
the random pad created for some message M, must reveal M to the simulator 
(by querying the fourth oracle). Knowing M, the simulator can ‘program’ the 
random pad to be consistent with output of the ideal injection X. 

The simulator will fail if either of two events occurs. The first event corre- 
sponds to when two tags collide in the course of simulating the construction. If 
this happens the CTR mode must generate the same pad, and no longer hides 
relationships between input and output bits. Such an event will occur with low 
probability because T is a RO. The second kind of event is if the adversary infers 
a tag value without utilizing its fourth oracle ( T or Sj£). If it can do so, then 
it can compute the pad using the second oracle (E or Sg) before the simulator 
knows the message the tag corresponds to. This event should happen with low 
probability because it requires the adversary inverts / on some image returned 
as the first k bits of a query to the first oracle. We can bound the probability 
of A inverting / on some point in terms of its ability to invert on a particular 
point (hence the 91 Ad v|) wf (C ) term). Since neither event occurs with high prob- 
ability, we achieve a bound on the adversary’s ability to differentiate the two 
sets of oracles. 

Discussion. One might wonder if we can dispense with the one way permutation. 
In fact it is requisite: omitting it would result in a construction easily differentiable 
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procedure Se{K, C): 

If 3j s.t. n = K and C < \M^\/n then 
Ret M’ c (&Y£ +1 
Ret Y 4 {0, 1}" 


procedure Sp(M) 
j ^ j + 1 ; M' 7 4 — M 

Yi II Y*^1{M*) 
r j <- f~ 1 O r o) 


Ret n 


procedure Sd{K , Y ) 
Return D 4 - {0, 1}" 


procedure iSjGenO 

(/, /- 1 ) ^ F(l fc ) 


Return / 


Fig. 3. The simulator 5 used in proof of Theorem 01 Initially j = 0. 


from a random injective oracle. An adversary could simply query its first oracle on 
a random message Mi, receiving T \ \ Y\. Then the adversary could query its third 
oracle (either D or Sd) on (T, Yi). At this point the simulator has no knowledge 
about Mi and will therefore only respond correctly with low probability. 

The TE construction is a proof-of-concept: it is the first object to achieve our 
new goal of being simultaneously constructively injective and indifferentiable 
from a random injection. On the other hand it has several drawbacks when 
considering it for practical use. It is length-increasing (outputs are larger than 
the inputs by at least the number of key bits of the underlying blockcipher) . This 
means that when utilized in MCM the output hash values will be larger compared 
to the outputs of the provably CR function H. Further, the construction requires 
two passes over the data and the application of a trapdoor permutation. In 
settings where speed is not essential (e.g., contract signing), the extra expense of 
using TE over that already incurred by hashing with a standard-model, provably 
collision-resistant function H might not be prohibitive. All this said, the TE 
construction does show that the MCM approach is feasible. We hope that future 
research will surface improvements. 

6 Composability Limitations and Open Problems 

Recall that the key benefit of indifferentiability results is the guarantee of com- 
posability, as discussed in depth in m- For example, a cryptographic scheme 
£ proven secure when utilizing a (monolithic) random oracle 1Z remains secure 
if the random oracle is replaced by a PRO construction C. When we say “re- 
mains secure” we mean that the existence of an adversary breaking the security 
of £ n implies the existence of an adversary that breaks the security of £ c . This 
means we can safely argue about the security of £ c in two steps: show that C is 
indifferentiable from 1Z and then that £ n is secure. Enabling this approach is a 
significant benefit of simulation-based definitions (the UC framework is another 
example 0 ). Our results also allow for secure composition, but with important 
(and perhaps subtle) qualifications. 
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First, we note that both Theorem El and Theorem 0 differ from previous in- 
differentiability results because they are complexity-theoretic in nature. Specifi- 
cally, the indifferentiability of MCM from a random oracle (Theorem E|) relies on 
an adversary’s inability to find collisions under H . The indifferentiability of TE 
from a random injection (Theorem 0) relies on an adversary’s inability to in- 
vert the trapdoor permutation /. We must bound the computational power of 
the adversary in both results, since an unbounded adversary can always find 
collisions against H or invert /. This means that £’ MCM , for example, is secure 
only against computationally-bounded adversaries, even if £ n is information- 
theoretically secure. This is a problem for random-oracle-based constructions £ 
that require information-theoretic security (see, e.g. 0). 

Second, Theorem 0 relies on a simulator that knows the trapdoor of the one- 
way permutation (i.e., it gets to control generation of the permutation). Effec- 
tively then, instantiating TE requires a trusted party to publish a description 
of /, which can be considered a common reference string (CRS). We allow the 
simulator to choose the CRS in the proof. Recent results by Pass and Canetti et 
al. FP call into question the (wide) use of such powerful simulators, in that com- 
posability of some security properties might be lost. For example, Pass discusses 
how deniability of non-interactive zero-knowledge proofs (the prover can assert 
that he never even proved a statement) does not hold if the proof relies on the 
zero- knowledge simulator choosing the CRS 0 ■ Indeed interpreting the compos- 
ability theorem for the indifferentiability framework E31 Thm. 1] in the context 
of TGen implies that some security properties (e.g., deniability) of constructions 
using TE will not hold in settings where other parties are allowed to know /. 

These subtle nuances of our results lead to a host of provocative open ques- 
tions. What other properties, beyond deniability, are compromised by the weak 
composability guarantees of TE? Is it (im)possible to build PRIOs without re- 
lying on such strong simulators? Can we strengthen the MCM security result, 
or find other constructions, that simultaneously are provably CR and yet have 
information-theoretic indifferentiability from a RO? 
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Abstract. We construct a new group signature scheme using bilinear groups. The 
group signature scheme is practical, both keys and group signatures consist of a 
constant number of group elements, and the scheme permits dynamic enrollment 
of new members. The scheme satisfies strong security requirements, in particular 
providing protection against key exposures and not relying on random oracles in 
the security proof. 

Keywords: Group signatures, certified signatures, bilinear groups. 


1 Introduction 

Group signatures make it possible for a member of a group to sign messages anony- 
mously so that outsiders and other group members cannot see which member signed 
the message. The group is controlled by a group manager that handles enrollment of 
members and also has the ability to identify the signer of a message. Group signatures 
are useful in contexts where it is desirable to preserve the signer’s privacy, yet in case 
of abuse we want some authorities to have the means of identifying her. 

Group signatures were introduced by Chaum and van Heyst IICvH911 and have been 
the subject of much research. Most of the proposed group signatures have been proven 
secure in the random oracle model [BR93| and now quite efficient schemes exist in the 
random oracle model II ACT I ( )( )l I B KS( )4I ITTl .( )4I l( X i()HlH( )5I IKY05II . The random oracle 
model has been the subject of criticism though. Canetti, Goldreich and Halevi iGGHOHl 
demonstrated the existence of an insecure signature scheme that has a security proof in 
the random oracle model. Other works showing weaknesses of the random oracle model 
are IINie()2llTT^nilBBP()4ll(TTTTn?l . 

There are a few group signature schemes that avoid the random oracle model. Bel- 
lare, Micciancio and Warinschi IIBMW03I suggested security definitions for group sig- 
natures and offered a construction based on trapdoor permutations. Their security model 
assumed the group was static and all members were given their honestly generated keys 
right away. Bellare, Shi and Zhang IBSZ05I strengthened the security model to include 
dynamic enrollment of members. This security model also separated the group man- 
ager’s role into two parts: issuer and opener. The issuer is responsible for enrolling 
members, but cannot trace who has signed a group signature. The opener on the other 
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hand cannot enroll members, but can open a group signature to see who signed it. More- 
over, it was required that this opener should be able to prove that said member made 
the group signature to avoid false accusations of members. IBSZ05I demonstrated that 
trapdoor permutations suffice also for constructing group signatures in this model. Both 
of these schemes use general and complicated primitives and are very inefficient. Groth 
liOroOfil used bilinear groups to construct a group signature scheme in the BSZ-model, 
with nice asymptotic performance, where each group signature consists of a constant 
number of group elements. Still the constant is enormous and a group signature consists 
of thousands or perhaps even millions of group elements. 

There are also a few practical group signature schemes with security proofs in the 
standard model. Ateniese, Camenisch, Hohenberger and de Medeiros IIACHdM()5l give 
a highly efficient group signature scheme, where each group signature consists of 8 
group elements in prime order bilinear groups. This scheme is secure against a non- 
adaptive adversary that never gets to see private keys of honest members. If a member’s 
key is exposed, however, it is easy to identify all group signatures she has made, so then- 
scheme is not secure in the BMW/BSZ-models. 

Boyen and Waters IIBW06I tBW(j7l suggest group signatures that are secure against 
key exposure attacks. Their constructions are secure in a restricted version of the BMW- 
model where the anonymity of the members relies on the adversary not being able to 
see any openings of group signatures. In the latter scheme IIBW071 . the group signatures 
consist of 6 group elements in a composite order bilinear group. The public key in 
IIBW07I grows logarithmically in the size of the message space though and will for 
practical purposes typically contain a couple of hundred group elements. 

Our contribution. We propose a new group signature scheme based on prime order 
bilinear groups. All parts of the group signature scheme, including the group public key 
and the group signatures, consist of a constant number of group elements. The constants 
are reasonable for practical purposes; for instance using 256-bit prime order bilinear 
groups, a group public key would be less than lkB and a group signature less than 2kB. 

We prove under some well-known assumptions, the strong Diffie-Hellman assump- 
tion IIBB04I and the decisional linear assumption IIBBS04I . as well as a new assumption 
that the scheme is secure in the BSZ-model. This means the scheme permits dynamic 
enrollment of members, preserves anonymity of a group signature even if the adversary 
can see arbitrary key exposures or arbitrary openings of other group signatures, and 
separates the role of the issuer and opener such that they can operate independently. 

Technique. We use in our group signature scheme a certified signature scheme. Cer- 
tified signatures, the notion stemming from Boldyreva, Fischlin, Palacio and Warinschi, 
allow a user to pick keys for a signature scheme and use them to sign messages. The 
user can ask a certification authority to certify her public verification key for the sig- 
nature scheme. The verification algorithm checks both the certificate and the signature 
and accepts if both of them are acceptable. A trivial way to build a certified signature 
schemes is just to let the certification authority output a standard signature on the user’s 
public verification key. Non-trivial solutions such as for instance using an aggregate 
signature scheme BBGLS03I also exist. Certified signature schemes may be more effi- 
cient though since the certificate does not have to be unforgeable. In a certified signature 
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scheme, the requirement is just that it is infeasible to forge a certificate together with a 
valid signature. We refer to SectionBJfor a formal definition. 

In our group signature scheme, enrolling members will create a key for a signature 
scheme and ask the issuer to issue a certificate on their verification key. To make a 
group signature, the member will make a certified signature. To be anonymous she 
will encrypt the certified signature and use non-interactive witness-indistinguishable 
and non-interactive zero-knowledge proofs to demonstrate that the ciphertext contains 
a valid certified signature. 

In order to have efficient non-interactive proofs, it is essential to preserve as much 
of the bilinear group structure of the encrypted certified signature as possible. In partic- 
ular, using cryptographic hash-functions or using group elements from one part of the 
certified signature as exponents in other parts of the certified signature does not work. 
We will combine the signature scheme of Boneh and Boyen IIBB04I with the signature 
scheme of Zhou and Lin ltZL()6l to get a certified signature scheme that is both efficient 
and relies only on generic group operations. 

2 Setup 

Let Q be a probabilistic polynomial time algorithm that generates ( p , G , Gt, e, g ) <— 
G(l k ) such that: 

- p is a fc-bit prime. 

- G, Gt are groups of order p. 

- g is a randomly chosen generator of G. 

- e is a non-degenerate bilinear map, i.e., e(g, g) is a generator of Gt and for all 
a,b gZj, we have e{g a , g b ) = e(g, g) ab . 

- Group operations, evaluation of the bilinear map, and membership of G, Gt are all 
efficiently computable. 

We will now present some of the security assumptions that will be used in the paper. 
DLIN assumption. The decisional linear assumption was introduced by Boneh, 
Boyen and Shacham IIBBS04II . The DLIN assumption holds for G, when it is hard 
to distinguish for randomly chosen group elements and exponents (/, g. h, f r . g s , h*) 
whether t = r + s or t is random. 

g-SDH assumption. The strong Diffie-Hellman assumption was introduced by 
Boneh and Boyen IBB 041 . The g-SDH assumption holds for G, when it is hard to find 
a pair (m, g ~- ) eZ f x G when given g, g x . g * 2 , . . . , g x9W as input. In the paper, it 
suffices to have q being a polynomial. 

g-U assumption. We will now define the unfakeability assumption. The g-U assump- 
tion holds for G if for any non-uniform polynomial time adversary A we have: 

Pr [(p,G,G T ,e,g) <- G(l k ) ; zi , n , . . . , x q ( k) , r q{k) <- Z p ; 
f,h,z<—G; T := e(f, z ) ; a, := 5 h := h^g^z ; 

(' V,A,B,m,S ) <— A{p,G,G T ,e,g,f,h,T,xi,ai,bi, . ■ ■ ,x q (k),a q (k),b q (k)) ■ 
V i {g xi } A e(A, hV)e(f, B) = T A e(S, Vg m ) = e(g, j)]«0. 
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The q-U assumption is implied by a stronger assumption from Zhou and Lin lIZLM 
that is similar in nature. A heuristic argument for the assumption is that it holds in the 
generic group model; see the full paper for a proof. 

3 Certified Signatures 

Typically, using a signature in a public key infrastructure works like this: A user that 
wants to set up a signature scheme, generates a public verification key vk and a secret 
signing key sk. She takes the public key to a certification authority that signs vk and 
possibly some auxiliary information such as name, e-mail address, etc. We call this the 
certificate. Whenever the user wants to sign a message, she sends both the certificate 
and the signature to the verifier. The verifier checks that the certification authority has 
certified that the user has the public key vk and also checks the user’s signature on the 
message. 

In the standard way of certifying verification keys described above, the process of is- 
suing certificates and verifying certificates is separate from the process of signing mes- 
sages and verifying signatures. Boldyreva, Fischlin, Palacio and Warinschi Htj fif > W(')7ll 
show that combining the two processes into one can improve efficiency. As they ob- 
serve, we do not need to worry about forgeries of the certificate itself, we only need to 
prevent the joint forgery of both the certificate and the signature. 

A certified signature scheme 1BFT>Wfi7ll . is a combined scheme for signing messages 
and producing certificates for the verification keys. We will give a formal definition that 
is tailored to our purposes and slightly simpler than the more general definition given 
by Boldyreva, Fischlin, Palacio and Warinschi. Formally, a certified signature scheme 
consists of the following probabilistic polynomial time algorithms. 

Setup: Q takes a security parameter as input and outputs a description gk of our setup. 
Certification key: CertKey on input gk outputs a pair (ak. ck), respectively a public 
authority key and a secret certification key. 

Key registration: This is an interactive protocol (User, Issuer) that generates keys 
for the user together with a certificate. User takes gk,ak as input, whereas 
Issuer takes gk, ck as input. If successful User outputs a triple (vk, sk, cert), 
whereas Issuer outputs ( vk,cert ). We write ((vk,sk, cert), (vk, cert)) <— 
(User (gk, ak) , lssuer(gk, ck)) for this process. We call vk the verification key, sk 
the signing key and cert the certificate. Either party outputs _L if the other party 
deviates from the key registration protocol. 

Signature: Sign gets a signing key and a message m as input. It outputs a signature a. 
Verification: Ver takes as input gk, ak, vk, cert, m, a and outputs 1 if accepting the 
certificate and the signature on m. Otherwise it outputs 0. 

The certified signature scheme must be correct, unfakeable and unforgeable as defined 
below. 

Perfect correctness: For all messages m we have 

Pr | gk <— Q(l k ) ; (ak,ck) CertKey(pfc) ; 


(( vk , sk, cert), ( vk , cert)) <— (User(<7A;, ak), Issuer (gk, ck)) ; 
a *— Sign sfe (m) : Ver (gk, ak, vk, cert, m, a) = lj = X. 

Unfakeability: We want it to be hard to create a signature with a faked certificate. Only 
if the verification key has been generated correctly and been certified by the certi- 
fication authority should it be possible to make a certified signature on a message. 
For all non-uniform polynomial time adversaries A we require: 

Pr [gk<— G(l k )-, (ak, ck)<— CertKey(pfc); (vk, cert,m, a)<—A KeyKes (gk, ak) : 

vk £ Q and Ver (gk, ak, vk, cert, m, a) = lj ~ 0, 

where KeyReg is an oracle that allows A to sequentially start up new key 
registration sessions and lets A act as the user. That is in session i we run 
(*,(vki,certi)) <— (A, Issuer (gk,ck)) ; Q := Q U {vki} forwarding all mes- 
sages to and from A through the oracle. 

Existential M -unforgeability: Let M be a stateful non-uniform polynomial time al- 
gorithm. We say the certified signature scheme is existentially M-unforgeable if 
for all non-uniform polynomial time adversaries A we have: 

Pr [gk v- Q(l k ) ; (Sti, ak) «- A(gk) ; 

((vk, sk, cert), St2) <— (User(pfc, afc),.4.(Sti)) ; 

(cert', m, a) <— ^ Messa s eSl g n (-)(gt; 2 ) ■; 
m (f: Q and Ver (gk, ak, vk, cert', m, a) = lj ~ 0, 

where MessageSign(-) is an oracle that on input a, runs (mi, hi) *— 
M(gk, ai) ; crj <— Sign sfc (mj) ; Q := Q U {mj} and returns (mi, hi, ai). 

Adaptive chosen message attack corresponds to letting M be an algorithm that 
on input m,j outputs (mi,e). On the other hand, letting M be an algorithm that 
ignores A’s inputs corresponds to a weak chosen message attack, where messages 
to be signed by the oracle are chosen without knowledge of vk. In a weak chosen 
message attack, the hi s may contain a history of how the messages were selected. 
In this paper, we only need security against weak chosen message attack. 

4 A Certified Signature Scheme 

We will construct a certified signature scheme from bilinear groups that is existentially 
unforgeable under weak chosen message attack. There are two parts of the scheme: 
certification and signing. For signing, we will use the Boneh-Boyen signature scheme 
that is secure under weak chosen message attack. In their scheme the public key is 
v := g x and the secret signing key is x. A signature on message m £ Z p \ {a;} is 
cr = g -r-+m . it can be verified by checking e(a,vg m ) = e(g,g). Boneh and Boyen 
BBB04H proved that this signature scheme is secure against weak chosen message attack 
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under the g-SDH assumption. The existential unforgeability of our certified signature 
scheme under weak chosen message attack will follow directly from the security of the 
Boneh-Boyen signature scheme under weak chosen message attack. 

What remains is to specify how to generate the verification key v and how to certify 
it. This is a 2-step process, where we first generate a random v = g x such that the issuer 
learns v but only the user learns x. In Section 14.11 we describe in detail the properties 
we need this key generation protocol to have. In the second step, we use a variation of 
the signature scheme of Zhou and Lin 17,1 .Olil to certify uQ 

To set up the certified signature scheme, the certification authority picks random 
group elements f,h,z £ G. The authority key is (/, h. T) and the secret certification 
key is z so T = e(g, z). To certify a Boneh-Boyen key v the authority picks r «— Z p and 
sets (a, b ) := ( f ~ r , ( hv) r z ). The certificate is verified by checking e(a, hv)e(f, b ) = 
T. We remark that this is not a good signature scheme, since given v,a,b it is easy 
to create a certificate for v' := v 1 2 h as (a! ,b') := (a 3 , b). For certified signatures it 
works fine though since we cannot use the faked verification keys to actually sign any 
messages. The nice part about the certified signature scheme we have suggested here 
is that a certificate consists of only two group elements and is created through the use 
of generic group operations. These two properties of the certified signature scheme are 
what enable us to construct a practical group signature scheme on top of it. 


Setup(l fc ) 

Return gk := (p, G, Gt, e, g) <— Q( l fe ) 


CertKey(gfc) 

/, h, z <— G 
T := e(f, z) 

Return (ak, ck) := (( gk, f,h,T),(ak,z )) 


(User (gk, ak), Issuer (gk, ck)) 

( x,v ) <— (User(gk),lssuer(gk)) 
r <— Z p 

a := r r 
b t= ( vhYz 

vk := v ; sk := x ; cert := (a, b) 
User output: (vk, sk, cert) 

Issuer output: (vk, cert) 


Sign sfc (m) 

If x = —m return _L 
Else return a := g*+* 


Ver (gk, ak, vk, cert, m, a) 
Return 1 if 

e(a,vh)e(f,b) = T 
e(a,vg m ) = e(g,g) 

Else return 0 


Fig. 1. The certified signature scheme 


Theorem 1. The scheme in Figure 0 is a certified signature scheme with perfect 
correctness for messages in 7L V \ {a:}. It is unfakeable under the q-U assumption 
and is existentially unforgeable under weak chosen message attack under the q-SDH 
assumption. 

1 The signature scheme of Zhou and Lin I/I ,061 can be used to sign exponents. As they observe, 

however, it is sufficient to know v = g x to sign x. In our notation, their scheme computes a 
signature on x by setting v = g x and computing the signature (a, b) as a := f r , b := (hv) r z, 

where a = h los f 9 so T = e(g, h). 
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Sketch of proof. Perfect correctness follows from the perfect correctness of the key 
generation protocol. 

We will now argue that the certified signature scheme is unfakeable. Part of the key 
registration protocol is the interactive key generation protocol. We can black-box sim- 
ulate the view of the adversarial user in each of these key generation protocols. We 
can therefore pick xi, , x q ^) in advance and simulate the key generation such that 
the adversarial user i get the signing key x t (or gets no key at all in case it deviates 
from the protocol). With this modified key registration, A only sees certificates on 
v\ := g Xl , . . . := g x i(. k ). These certificates are of the form a* := f~ ri and 

bi := h ri g Xiri z. It therefore follows directly from the r/-U assumption that it is hard to 
come up with a certified signature using a new public verification key. 

We will now ague that the certified signature scheme is existentially unforgeable 
under weak chosen message attack. By definition th key generation protocol has the 
property that it is possible to choose v := g x in advance and black-box simulate the 
malicious issuer’s view in a protocol that gives it v as output. Now we are in a situation, 
where v is an honestly chosen Boneh-Boyen verification key and A only has access 
to a weak chosen message attack. Existential unforgeability of the certified signature 
scheme therefore follows from the existential unforgeability of Boneh-Boyen signatures 
under weak chosen message attack. 

4.1 Key Generation 

In the certified signature scheme, we require that the user generates her signing key 
honestly. We will use an interactive protocol between the user and the issuer that gives 
the user a uniformly random secret key x £ Z p , while the issuer learns v := g x . In 
case either party does not follow the protocol or halts prematurely, the other party will 
output _L. We will now give a more precise definition of the properties the protocol 
should have. For notational convenience, define g 1 - = _L. 

Write (x, v) <— (\J ser (gk'), Issuer (gk')) for running the key generation protocol 
between two probabilistic polynomial time interactive Turing machines User, Issuer 
on common input gk giving User output x and Issuer output v. We require that the 
protocol is correct in the following sense: 

Pr [gk <— G(l k ) ; (x,v) <— (User(<?A;),Issuer(< 7 fc)} : v = <? X J =1. 

We require that the view of the issuer, even if malicious, can be simulated. More 
precisely, for any 6 > 0 and polynomial time Issuer* there exists a polynomial time 
(in k and the size of the input to Issuer*) black-box simulator Si, such that for all 
non-uniform polynomial time adversaries A we have: 

Pr [gk «- Q{ l k ) ; y «- A(gk) ; x <- ; v := g x ; (g u , i) «- S?™"* 1 Cs/) {gk, v ) : 

A{u,i) = l] 

— Pr [gk <— Q(l k ) ; y <— A(gk) ; ( x,i ) *-> (User (gk), Issuer* (y)) : 

A(u, i) = l] < k~ s , 
where Si outputs g u so u £ {_L, x}. 
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We also require that the view of the user, even if malicious, can be simulated. For 
any 8 > 0 and any polynomial time User* there exists a polynomial time (in k and 
the size of the input to User*) black-box simulator Su, such that for all non-uniform 
polynomial time adversaries A we have: 

Pr jj k <- G{l k ) ; y A{gk) ; x <- Z p ; v := g x ; (u,i) *- S„ ser (y) (gk,x ) : 

A(u, i) = l] 

- Pr [gk <- Q(l k ) ; y <- A(gk) ; ( u,i ) (User*(t/), Issuer (gk)) : 

A(u,i ) = lj < k~ s , 
where Su outputs i G {_L, v}. 

There are many ways in which one can construct a key generation protocol with 
these properties. One example of a simple 5-move key generation protocol is given in 
the full paper. 

5 Defining Group Signatures 

In a group signature scheme there is a group manager that decides who can join the 
group. Once in the group, members can sign messages on behalf of the group. Members’ 
signatures are anonymous, except to the group manager who can open a signature and 
see who signed the message. In some scenarios it is of interest to separate the group 
manager into two entities, an issuer who enrolls members and an opener who traces 
signers. 

We imagine that enrolled member’s when joining have some identifying informa- 
tion added to a registry reg. This registry may or may not be publicly accessible. The 
specifics of how the registry works are not important, we just require that reg[i] only 
contains content both the issuer and user i agrees on. One option could be that the issuer 
maintains the registry, but the user has to sign the content of reg[i ] for it to be consid- 
ered a valid entry. User i stores her corresponding secret key in gsk[i). The number i 
we associate with the user is simply a way to distinguish the users. Without loss of gen- 
erality, we will assume users are numbered 1, . . . , n according to the time they joined 
or attempted to join. 

Key generation: GKg generates ( gpk , ik, ok). Here gpk is a group public key, while 
ik and ok are respectively the issuer’s and the opener’s secret key. 

Join/Issue: This is an interactive protocol between a user and the issuer. If successful, 
the user and issuer register a public key vki in reg[i) and the user stores some 
corresponding secret signing key information in gsk[i] . 

IIBSZ05I specify that communication between the user and the issuer in this proto- 
col should be secret. The Join/Issue protocol in our scheme works when all mes- 
sages are sent in clear though. In our scheme, we will assume the issuer joins users 
in a sequential manner, but depending on the setup assumptions one is willing to 
make, it is easy to substitute the Join/Issue protocol for a concurrent protocol. 
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Sign: Group member i can sign a message mas E ■<— Gsig (gpk, gsk[i],m). 

Verify: To verify a signature E on message to we run GVf (gpk, to, E). The signature 
is valid if and only if the verification algorithm outputs 1 . 

Open: The opener has read-access to the registration table reg. We have (i, r) <— 
Open (gpk, ok, reg, to, E) gives an opening of a valid signature E on message m 
pointing to user i. In case the signature points to no member, the opener will assume 
the issuer forged the signature and set i := 0. The role of r is to accompany i ^ 0 
with a proof that user i did indeed sign the message. 

Judge: This algorithm is used to verify that openings are correct. We say the opening 
is correct if Judge^p/c, i, reg[i],m, E, t) = 1. 

IbSZtol define four properties that the group signature must satisfy: correctness, 
anonymity, traceability and non-frameability. We will here give a quick informal de- 
scription of the properties. We refer to IBSZ05I for details and a discussion of how 
these security definitions cover and strengthen other security definitions that have ap- 
peared in the literature. 

Non-frameability: Non-frameability protects the user against being falsely accused of 
making a group signature, even if both the issuer and the opener are corrupt. 
Traceability: When the issuer is honest and the opening algorithm is applied correctly, 
albeit the opener’s key may be exposed, traceability guarantees that a group signa- 
ture always can be traced back to a member who made it. 

Anonymity: An opener knows who made a particular group signature, but provided 
the opener is honest and the opener’s key is kept secret, nobody else should be able 
to identify the member. Anonymity gives this guarantee even in an environment 
where all users’ keys are exposed and the issuer is corrupt. In the definition, the 
adversary is also permitted to ask the opener to open group signatures, except the 
group signature where it is trying to guess who signed it. 

A weaker variant of anonymity called CPA-anonymity does not permit the adversary 
to see openings of other group signatures. The difference between full anonymity and 
CPA-anonymity is analogous to the difference between security under chosen ciphertext 
attack and chosen plaintext attack for public-key encryption. 

6 Tools 

To construct our group signature scheme, we will use the certified signature scheme 
from Section 0 We will also use several other tools in our construction, namely 
collision-free hash functions, non-interactive proofs for bilinear groups, strong one-time 
signatures secure against weak chosen message attack and selective-tag weak CCA- 
secure cryptosystems. 

6.1 Collision-Free Hash-Functions 

H is a generator of collision free hash-functions Hash : {0, 1}* — > {0, if for all 
non-uniform polynomial time adversaries A we have: 

Pr [Hash <- H(l k ) ; x, y <- .A(Hash) : Hash(a;) = Hash(y)] « 0. 
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We will use a collision-free hash-function to compress messages before signing them. 
For this purpose we will require that we can hash down to Z p , so we want to have 
2^(fc) < p. We remark that collision-free hash-functions can be constructed assuming 
the discrete logarithm problem is hard, so the existence of collision-free hash-functions 
follows from our assumptions on the bilinear group. 

6.2 Strong One-Time Signatures 

We will use a one-time signature scheme that is secure against an adversary that has 
access to a single weak chosen message attack. We say the one-time signature scheme is 
strong, if the adversary can neither forge a signature on a different message nor create a 
different signature on the chosen message she already got signed. An obvious candidate 
for such a scheme is the Boneh-Boyen signature scheme IIBB04I . since this signature 
scheme is deterministic and hence automatically has the strongness property. 

6.3 Non-interactive Proofs for Bilinear Groups 

Groth and Sahai IIHSH71 suggest non-interactive proofs that capture relations for bi- 
linear groups. They look at sets of equations in our bilinear group ( p , G, Gt, e, g) over 
variables in G and Z p such as pairing product equations, e.g. e(a;i, a;2)e(:r3, £4) = l,or 
multi-exponentiation equations, e.g. xf 1 x^ 2 = 1. They suggest non-interactive proofs 
for demonstrating that a set of equations of the form described above has a solution 
xi , ,xi £ G, 61 , bj £ Z p so all equations are simultaneously satisfied. Their 
proofs are in the common reference string model. There are two types of common ref- 
erence strings that yield respectively perfect soundness and perfect witness indistin- 
guishability/perfect zero-knowledge. The two types of common reference strings are 
computationally indistinguishable and they both give perfect completeness. We now 
give some further details. 

JHSn7ll show that there exists four probabilistic polynomial time algorithms 
(K, P,V,X), which we call respectively the key generator, the prover, the verifier and 
the extractor. The key generator takes (p, G, Gt, e, g) as input and outputs a common 
reference string crs = ( F , H, U, V, W, U',V', W') £ G 8 as well as an extraction key 
xk. Given a set of equations, the prover takes crs and a witness x \, . . . , xi, 
as input and outputs a proof it. The verifier given crs, a set of equations and 7 r outputs 
1 if the proof is valid and else it outputs 0. Finally, the extractor on a valid proof 7 r will 
extract xi, . . . ,xi £ G,in other words it will extract part of the witness. 

The proofs of have perfect completeness: on a correctly generated CRS and 

a correct witness, the prover always outputs a valid proof. They have perfect soundness: 
on a correctly generated CRS it is impossible to create a valid proof unless the equations 
are simultaneously satisfiable. Further, they have perfect partial knowledge: given xk 
the algorithm X can extract x± , ,xi from the proof, such that there exists a solution 
for the equations that use these x \ , . . . , xj. 

There exists a simulator Si that outputs a simulated common reference string crs and 
a simulation trapdoor key tk. These simulated common reference strings are computa- 
tionally indistinguishable from the common reference strings produced by K assuming 
the DLIN problem is hard. On a simulated common reference string, the proofs created 
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by the prover are perfectly witness-indistinguishable: if there are many possible wit- 
nesses for the equations being satisfiable, the proof n does not reveal anything about 
which witness was used by the prover when creating the proof. Further, let us call a set 
of equations tractable, if it is possible to find a solution, where x\ , . . . , xj are the same 
in all equations, but 8\ , . . . , 8j are allowed to vary from equation to equation. Tractable 
equations have perfect zero-knowledge proofs on simulated reference strings: there ex- 
ists a simulator S% that on a simulated reference string crs and a simulation trapdoor 
key tk produces a simulated proof tt for the tractable equations being satisfiable. If the 
equations are satisfiable, then simulated proofs are perfectly indistinguishable from the 
proofs a real prover with a witness would form on a simulated reference string. 

It will be useful later in the paper to know some technical details of the con- 
struction. The values F, H, U, V, W will be used to commit to the variables x as 
(ci, C 2 , C 3 ) := ( F r U t , H s V t ,g r+s W t x) for randomly chosen r,s,t £ 7L V . On a real 
common reference string, they are set up so U = F R ,V = H s ,W = g R+s so 
the commitment can be rewritten as (F r+Rt ,H s+st ,g r+s+( - R+s '> t x). The extraction 
key is xk := (<p, rf) so F = g^,H = g v . This permits decryption of the commit- 
ment as x = c-iC^ ■ On the other hand, on a simulation reference string, we use 
U = F R ,V = H s ,W = g T with T ± R+ S, which makes the commitment perfectly 
hiding. 

To commit to a variable 8 £ Z p using randomness r, s we use the commitment 
(di,d 2 ,c? 3 ) := (F r (U') s ,H s (V') s ,g r+s (W') s ). On a normal common reference 
string, we pick U’ = F R . V' = H s , W' = g T for T ^ R + S. This makes the 
commitment perfectly binding. On a simulated common reference string, on the other 
hand, we pick U' = F R . V' = H s , W = g R+s . The simulation trapdoor key is 
tk := ( R , S), which permits us to trapdoor open a commitment to 0 to any value 8 
since ( F r ,H s ,g r+s ) = {F r ~ RS {U')\ H B - ss (V , ) s ,g T+B -^ R¥S ^ s (W , ) s ). 


6.4 Selective-Tag Weakly CCA-Secure Encryption 

We will use a tag-based cryptosystem IIMRY04I due to Kiltz IK i 1061 . The public key 
consists of random non-trivial elements pk = ( F , H, K, L ) £ G 4 and the secret key is 
sk = (<p, rj) so F = g^,H = g n . We encrypt me G using tag tgZ p and randomness 
r,s e Z p as (2/1 , . . . , 2/5) := ( F r , H s , g r+s m, ( g t K) r , (g t L) s ). The validity of the 
ciphertext is publicly verifiable, since valid ciphertexts have e(F, 1 / 4 ) = e(yi,g t K) and 
e(H, y 5 ) = e(j/ 2 , #*£). Decryption can be done by computing m = y^yi^y^ 71 ■ In the 
group signature scheme, we will set up the cryptosystem with the same F, H as in the 
common reference string of the non-interactive proofs. 

IIKilOfill shows that under the DLIN assumption this cryptosystem is selective-tag 
weakly CCA-secure. By this we mean that it is indistinguishable which message we 
encrypted under a tag t, even when we have access to a decryption oracle that decrypts 
ciphertexts under any other tag. Formally, for all non-uniform polynomial time adver- 
saries A we have: 

Pr [ gk <— Q(l k ) ; t <— A(gk) ; (pk, sk) <— K(gk ) ; (mo, mi) *— A Dak ^’'\pk) ; 
y x- E p k(t, m 0 ) : A D ‘ k{:> ' ) (y) = lj 
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pa Pr [ gk <— 6(l k ) ; t <— A(gk) ; ( pk , sk ) <— K(gk) ; (mo, mi) A Dak( '’'\pk ) ; 

2/ <- E pk {t,m{) : A Dsk( - ’ \y) = lj , 
where the oracle returns D sk {U, y,) if t t 7 ^ t. 

7 The Group Signature Scheme 

The core of our group signature scheme is the certified signature scheme from Section^] 
The issuer acts as a certification authority and whenever a new member i wants to enroll, 
she needs to create a verification key Vi for the Boneh-Boyen signature scheme and get 
a certificate from the issuer. In the group signature scheme, the verification key and the 
corresponding secret key is generated with an interactive key generation protocol as 
defined in Section EH! This way both user and issuer know that Vi is selected with the 
correct distribution and that the user holds the corresponding secret key X{. 

When making a group signature, the member will generate a key pair (ufc sots , sk so ts) 
for a strong one-time signature that is secure under weak chosen message attack. She 
will sign the message using sk sots and use x t to sign vk so ts . The combination of cer- 
tified signatures and strong one-time signatures is what makes it hard to forge group 
signatures. 

Group signatures have to be anonymous and therefore we cannot reveal the 
certified signature. Instead, a group signature will include a non-interactive witness- 
indistinguishable (NIWI) proof of knowledge of a certified signature on vk sotK . 
Witness-indistinguishability implies that a group signature does not reveal which group 
member has signed the message. The opener will hold the extraction key for the NIWI 
proof of knowledge and will be able to extract the certified signature. Whenever an 
opening is called for, she extracts the signature on vk so ts , which points to the mem- 
ber who signed the message. In case no member has certified signed vk ao ts , the opener 
points to the issuer since the certified signature has a valid certificate. 

The ideas above suffice to construct a CPA-anonymous group signature scheme. To 
get anonymity even when the adversary has access to the Open oracle, we will encrypt 
the signature on vk sots with Kiltz’ cryptosystem using vk so t s as a tag. We will also give 
an NIZK proof that the encrypted signature is the same as the one used in the NIWI 
proof of knowledge. 

We present the full group signature scheme in Figure 0 Let us explain the non- 
interactive proofs further. The NIWI proof of knowledge, will demonstrate that there 
exists a certified signature (a, b, v, a) on vk sots so 

e(a,hv)e(f,b) =T A e(a,vg ilash< ' vksot ^) =e(g,g). 

In the terminology of IIGS07I . these are two pairing product equations over three vari- 
ables b,v,a. The last element a will be public, since we can rerandomize the certificate 
such that a does not identify the member. IIHSU7I gives us an NIWI proof of knowledge 
for these two equations being simultaneously satisfiable that consists of 27 group ele- 
ments. This proof consists of three commitments to respectively b, v, a, which consist 
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of 3 group elements each, and two proofs for the committed values satisfying the two 
equations consisting of 9 group elements each. 

In the NIZK proof we have a ciphertext y under tag Hash(uA; sots ) and a commitment 
c to a from the NIWI proof of knowledge. We wish to prove that the plaintext of y and 
the committed value in c are the same. The ciphertext is of the form (y\. ... , 2/5) = 
(. F r y,H s y,g r y +s ycr , (g Hash ( vk ^) j^yr y ^ ^gH&sh(vk sola ) an( j ^ comm itment is of 
the form (01,02,03) = ( F re U t ,H Sc V t ,g rc+Sc W t <j ). Setting r := r c —r y ,s := s c —s y 
we have (c\yf C 2yf 1 , c^y^ 1 ) = ( F r U t , H s V t , g r+s W t ). On the other hand, if the 
plaintext and the committed value are different, then no such r,s,t exist. Proving that 
the plaintext and the committed value are the same, therefore corresponds to proving 
the simultaneous satisfiability of the following equations over <p. r. s. t £ Z p : 

0 = 1 A = 1 A {c^ 1 y 2 fH s V t = 1 A (c^tfe) V'W*- 

This set is tractable, i.e., if we allow <j> to take different values in the equations, then 
there is a trivial solution <j> = 1 in the first equation and cj) = r = s = t = 0 in the 
other three equations. Since the set of equations is tractable, there is an NIZK proof for 
the 4 equations being simultaneously satisfiable. The proof consists of commitments to 
cj), r, s, t, but since the first equation is straightforward we can simply use (U', V', W’) 
as the commitment to which makes it easy to verify that the first equation holds. The 
three commitments to r,s,t each consist of 3 group elements. The three last equations 
are multi-exponentiations of constants and using the proof of lK%>n7l each equation 
costs 2 group elements to prove. The NIZK proof therefore costs a total of 15 group 
elements. 

Theorem 2. The scheme in Figure \2\ is a group signature scheme with perfect 
correctness. Under the DLIN, q-SDH and q-U assumption and assuming the strong 
one-time signature scheme is secure against weak chosen message attack and the hash- 
function is collision resistant, the group signature has anonymity, traceability and non- 
frameability. 

Sketch of proof. Perfect correctness follows by inspection and the fact that the con- 
stituent protocols have perfect correctness and perfect completeness. We will sketch a 
proof that the group signature is secure, we refer to the full paper for more details. 

To argue anonymity we consider a situation where the issuer may be corrupt and 
the members’ keys are exposed. Since the adversary controls the issuer, she can let 
both corrupt users and honest users join the group. She can also ask the opener to open 
arbitrary valid group signatures. At some point she will choose two honest members 
and a message and get a group signature from one of the members. We want to show 
that she cannot tell which of the honest members made the group signature, as long as 
she does not ask the opener to open the challenge group signature. 

The NIZK proof implies that the ciphertext y contains the same Boneh-Boyen sig- 
nature a as the NIWI proof of knowledge. The opener can therefore use the decryption 
key for the tag-based cryptosystem to track down the user instead of extracting it from 
the NIWI proof of knowledge. This means we do not need the extraction key for the 
NIWI proof, so we can switch to using a common reference string that gives perfect 
witness-indistinguishability. The only information about the member now resides in the 
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GKg(l fc ) 

gk^g(l k ) ; Hash <— H(l k ) 

((/, h, T),z) <— CertKey(gfc) 

(crs, xk ) <- Km(gk) ; K,L <— G 

(F, H, the rest) <- Parse(crs) ; pk := (F, H, K, L) 

(gpk,ik,ok) := ((gk, Hash, /, h, T, crs, pk), z, xk) 


Join/Issue(User i : gpk , Issuer : gpk,ik ) 
((vi, Xi, ai, bi), (vi,ai, bi)) <— (User, Issuer) 
User: If e(oj, hvi)e(f, bi) = T set 

reg[i\ := Vi ; gsk[i] := ( Xi,ai,bi ) 


GSig {gpk,gsk[i\,m) 

(vksots, sfc S ots) <— KeyGen sots (l fc ) 

(Repeat until Hash(ufc so ts) / — xi) 

P< Zn: a-Oif-' ; b:=bi(hvi) p 

tr <— Fkiwi(crs, (gpk, a, Hash(ufc so t a )), (b, Vi, cr)) 

•y <— E p k (Hash(ufc so ts ) , v i) 

ip <- FkizK(crs, (gpk, y, i r), (r, s, t )) 

(Tsots <- Sign sfcsota (vksota, m, a, it, y, ip) 

Return E := (vk so ts, a, tr, j/, ip, a so ts) 


GVf (gpk,m, E) 

Return 1 if these verifications pass: 

m, a, it, y, ip),a so t s ) 
Vniwi ( crs, (gpk, a, Hash(ufe so ts)), ir) 
VmzK(crs, (gpk, 7r, y), ip) 
ValidCiphertext(pA:, Hash(ufc so ts), y) 
Else return 0 


Open (gpk, ok, m, E) 

(b,v,a) <— X xk (crs, 

(gpk, a, Hash(ufc BO ts)), 7r) 
Return (i, a) if there is i so v = Vi 
Else return (0, cr) 


Judgc(r/pA:, i, reg[i],m, E, a) 

Return 1 if 

* # 0 A e(cr, = e (^ g g ) 

Else return 0 


Fig. 2. The group signature scheme 


ciphertext. The existential unforgeability of the one-time signature under weak chosen 
message attack and the collision-freeness of the hash-function make it infeasible for the 
adversary to query the opener with a valid group signature that recycles vk sots from 
the challenge or that collides with Hash('ofc sots ). Since Hash(ufc sots ) is the tag for the 
cryptosystem and is never recycled in a query to the opener, the ciphertext does not 
reveal which member made the group signature. 

We have to argue that a user cannot be framed. We consider an unfriendly environ- 
ment where both the issuer and the opener are corrupt. They are trying to come up with 
a proof that the user signed a message, a proof that consists of a Boneh-Boyen signature. 
When joining the group, the user and the issuer engage in a key registration protocol. 
This protocol gives the user a uniformly random x and a Boneh-Boyen verification key 
v = g x , without the issuer learning x. Even if the user makes group signatures on arbi- 
trary messages, this just corresponds to signing randomly chosen verification keys for 
the strong one-time signature scheme. The weak chosen message attack security of the 
Boneh-Boyen signature scheme is therefore sufficient to guarantee that the adversary 
cannot falsely accuse the user of having signed a message that she did not sign. 

Finally, we consider an honest issuer that keeps her issuer key secret and an honest 
opener with an exposed opener key. We have to argue that a valid group signature can 
always be traced back to a member of the group. By the perfect extractability of the 
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NIWI proof of knowledge, we can extract a valid certified signature on Hash(ufc sots ) 
from the NIWI proof ^ r. The key registration protocol guarantees that all members have 
correctly generated signing keys. The unfakeability of the certified signature scheme 
therefore implies that a member has made the group signature. The Boneh-Boyen 
signature a is sufficient to trace this member, since it matches a unique verification 
key 

Efficiency. If we instantiate the strong one-time signature with the Boneh-Boyen 
signature scheme a verification key is one group element and a one-time signature is 
also one group element. We make the element a public. The NIWI proof of knowledge 
consists of 27 group elements. The ciphertext consists of 5 group elements. The NIZK 
proof consists of 15 group elements. The total size of a group signature is therefore 50 
group elements in G. This is of course much better than the many thousand elements 
required for a group signature in IlCiroOfill . 

In case CPA-anonymity is sufficient, we can consider a lighter version of our group 
signature, where we omit the ciphertext y and the NIZK proof ip. This CPA-anonymous 
group signature scheme would consist of 30 group elements. We observe that regular 
anonymity implies that the group signature is strong, i.e., even when seeing a message 
to and a group signature S on it, it is not possible to create a different group signature 
S' on to such that it still points to the same member. In CPA-anonymity, however, we 
do not give the adversary access to an opening oracle and thus mauling signatures is 
no longer a problem. If we do not care about the group signature being strong, we do 
not need the strong one-time signature key and we can simply sign Hash(m) instead 
of Hash(ufc S ots)- This reduces the size of the group signatures further to 28 group ele- 
ments. In comparison, the CPA- anonymous group signature scheme of IB W 071 consists 
of 6 group elements in a composite order group. Since composite order groups rely on 
the hardness of factoring, these groups are very large and our CPA-anonymous group 
signatures are therefore comparable in size for practical parameters, perhaps even a bit 
smaller. However, our CPA-anonymous group signature scheme still supports dynamic 
enrollment of members and has a group public key gpk consisting of a constant number 
of group elements. 

Key generation. Since the BBSZ05I -model assumes a trusted key generator it is 
worth considering how the key generation should be carried out in practice. The trust in 
our scheme relies on the bilinear group (p, G, Gt, e, g) being generated so the crypto- 
graphic assumptions hold and it relies on the hash-function being collision-free. We re- 
mark that an advantage of our scheme is that we work over prime order bilinear groups, 
so it may be possible to use a uniform random string to set up (p, G, Gt, e, g). Also, 
since the trust is based on a very elementary setup, a bilinear group and a hash-function, 
it is possible that suitable public standards can be found. One could for instance use 
SHA-256 as the hash-function. 

The non-frameability of the user relies only on the collision-freeness of the hash- 
function and the cryptographic assumptions in ( p , G, Gt, e, g). The rest of the group 
public key gpk can be generated jointly by the issuer and the opener. The issuer gen- 
erates the authority key for the certified signature scheme. The opener generates crs 
and pk, anonymity follows from the opener generating these keys correctly. Since the 
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opener can break anonymity anyway, it is quite reasonable to trust the opener with pro- 
tecting anonymity. The opener will have to make a zero-knowledge proof of knowledge 
of the corresponding extraction key to the issuer, since the security proof for traceability 
relies on the opener being able to actually extract a signature from the NIWI proof of 
knowledge. 
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Abstract. We present group encryption, a new cryptographic primitive 
which is the encryption analogue of a group signature. It possesses similar 
verifiability, security and privacy properties, but whereas a group signa- 
ture is useful whenever we need to conceal the source (signer) within a 
group of legitimate users, a group encryption is useful whenever we need 
to conceal a recipient (decryptor) within a group of legitimate receivers. 

We introduce and model the new primitive and present sufficient as 
well as necessary conditions for its generic implementation. We then de- 
velop an efficient novel number theoretic construction for group encryp- 
tion of discrete logarithms whose complexity is independent of the group 
size. As part of achieving this we construct a new public-key encryp- 
tion for discrete logarithms that satisfies CCA2-key-privacy and CCA2- 
security in the standard model (this gives the first Pailler-based system 
with the above two properties proven in the standard model) . 

Applications of group encryption include settings where a user wishes 
to hide her preferred trusted third party or even impose a hidden hi- 
erarchy of trusted parties while being required to assure well-formed 
ciphertexts, as well as oblivious storage settings where the set of retriev- 
ers need to be verifiable but the storage distribution should be oblivious 
to the server. 

1 Introduction 

Group signatures were introduced in | 22 | and further developed in a line of works, 
e.g., |2.' 112 011 711 811 1 l.'Uilll.'fll -Wild .4181 1 (1171441211 4K)l.'l. r )l.'10| . In a nutshell a group 
signature allows a registered member of a PKI (a.k.a. a group of registered users) 
to issue a signature on behalf of the group so that the issuer’s identity is assured 
to be valid but is hidden from the verifier. After its introduction, the primitive 
has found numerous applications. 

In this work we introduce a novel cryptographic primitive that is the en- 
cryption analogue of a group signature; we call it group encryption (not to be 
confused with group-oriented cryptography as in |2Kll2j . which is essentially 
threshold cryptosystems). A group encryption scheme allows a sender to pre- 
pare a ciphertext and convince a verifier that it can be decrypted by a member 
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of a given PKI group. As in group signature, in a group encryption there can be 
an opening authority that can, reveal the identity of the group member who is 
the recipient of the ciphertext when the appropriate circumstances are triggered. 
Note that group encryption provides “receiver anonymity” in the same way that 
group signature provides “sender anonymity.” Nevertheless, this primitive was 
never considered in the group-signature literature before, even though public-key 
encryption and signatures are typically dual primitives that have been developed 
in parallel in many other settings. 

A Motivating Typical Scenario: In many protocols that attempt to maintain 
privacy/ anonymity and employ trusted parties, it has been often naturally ad- 
vocated as a flexible service to allow a user to choose its recipient trustee (e.g., a 
trusted third party for conditionally opening the ciphertext) among a set of avail- 
able authorized parties. However, the choice of a third party, while increasing flex- 
ibility, might also reveal some preference of the user, thus reducing privacy. Group 
encryption is motivated by such applications. As observed by Chaum EH the fact 
that the trustee is hidden within a large set of trusted parties makes attempts to 
bribe officials harder, thus contributing to secrecy of individuals as well. 

Let us investigate whether it is possible to implement the above typical sce- 
nario by employing existing primitives. The notion of key-privacy was introduced 
in 0 (also j3H) who showed that there exist encryption schemes where it is im- 
possible for an adversary to distinguish what public-key has been used for the 
message encryption. If we attempt to use these encryption schemes, a user may 
make his own trustee’s public key (without even publishing this public key) and 
use that one for encryption, thus faking an encryption to a trustee. Note that 
this amounts to attacking the application, since this user’s encryption cannot be 
opened by any valid trustee. Key privacy for users who encrypt with their own 
key was given in [EU, but this means that the user has to be his own trustee, 
which, again, is insufficient for the application above. Finally, the notion of ver- 
ifiable encryption allows the sender to prove certain properties of the encrypted 
message (cf. e.g., jl il 21441171] V If we employ verifiable encryption for the above 
application, it only assures verifiability when the public key employed is known 
to the verifier. Knowledge of the public key employed, in turn, is an attack on 
the anonymity of the trustee in the above application. 

Our Major Contributions. In this work, motivated by the above examples, 
we first contribute the definition, formalization and generic feasibility of group 
encryption. We then construct an efficient concrete implementation and investi- 
gate its related number theoretic properties. 

- Definition and Model. The group encryption primitive (GE) involves a public- 
key encryption scheme with special properties, a group joining protocol (involv- 
ing public-key certification) and a message space that may have a required struc- 
ture. Besides correctness, there are three security properties that pertain to GE 
schemes. The first two of these properties, called Security and Anonymity 
protect the sender from a hostile environment that tries to either extract 
information about the message (security) or to extract information about who the 
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recipient is (anonymity). We require both properties to have the strongest notion 
of immunity to attack, namely CCA2 j27!41| . The third property, that we call 
Soundness protects the verifier from a hostile environment in which the sender, 
the group manager and the recipients collude against him, so that he accepts a 
ciphertext (e.g., an encrypted record to be stored) that either does not have the 
required structure or cannot be decrypted by a registered group member. 

- Necessary and Sufficient Conditions and Generic Design. We identify the nec- 
essary cryptographic components of a GE scheme that include: a digital signa- 
ture with adaptive chosen message security, a public-key encryption scheme that 
satisfies both CCA2-key-privacy and CCA2-security, and zero-knowledge proofs 
for NP statements. Using such components we demonstrate how a generic GE 
scheme can be implemented and how, in turn, the scheme implies these compo- 
nents (where encryption is derived directly with a relatively tight reduction). 

- Efficient Design. We design a GE scheme for the discrete logarithm relation, 
which is one of the most useful relations in cryptography. To this end we employ 
the modular design as a guide. However, in order to get an efficient scheme, 
we need to design, exploit and combine primitives that algebraically suit the 
primitive’s structure so that the ciphertext and the interaction associated with 
it has size independent of the size of the group of potential receivers. Given the 
large multitude of strong security requirements the model possesses, we found 
the task of designing and proving the properties to be quite challenging. 

- Efficient Encryption of Discrete Logarithm with CCA2-Security and CCA2- 
key-privacy. As our first step in the overall group encryption design, we point 
out that no existing public-key encryption scheme is suitable for designing a 
GE for discrete logarithm relations, since the compound set of the requirements 
that include verifiability, CCA2-security and CCA2-key-privacy for anonymity 
has not been achieved before and requires special attention. We then design a 
public-key encryption with CCA2 key-privacy suitable for CCA2 secure verifiable 
encryption of discrete-logarithms. The security of the scheme is based on the 
Decisional Composite Residuosity (DCR) assumption of @01 (and its design is 
motivated by earlier works of mmm)- We note that our encryption is the 
first Paillier-based scheme proven to satisfy key-privacy, a fact which may be of 
independent interest. 

- Algebraic Structure and Intractability Assumption. A new intractability as- 
sumption is required for proving the key-privacy property of our encryption 
scheme: Decisional Diffie Heilman assumption for the subgroup of square 
(quadratic) n-th residues (DDHsqnr)- We explain why this is a natural varia- 
tion of DDH over a cyclic subgroup of Z* 2 that has order without small prime 
divisors and moreover, to strengthen the claim of intractability, we prove that the 
DCR (which is needed for arguing the security of the scheme anyway) implies the 
computational Diffie Heilman (CDH) assumption in this subgroup. Note that we 
know of no arithmetic cyclic group without a partial discrete- log trapdoor, where 
CDH holds but where DDH does not and thus the assumption seems reasonable. 
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Applications of Group Encryption. The combination of CCA2 security of 
ciphertexts, CCA2 anonymity of receivers and verifiability is a strong one and 
supports some enhanced properties of known constructions as well as opens the 
door for new applications. 

— Anonymous Trusted Third Party Applications. Many protocols such 
as Fair Encryption, Escrow Encryption, Group Signatures, Fair Exchange, etc. 
employ a trustee, namely a trusted third party who is off-line during the pro- 
tocol and gets invoked in case something goes wrong. For these primitives it is 
expected and has been advocated that there will be a multitude of these trustees. 
In this case the identity of a chosen trustee may reveal certain aspects of the 
user, whereas the user prefers to retain her privacy. For example, imagine an 
“International Key Escrow” scenario where a user wants to deposit (decrypt) 
a key with her own national trusted representative (and needs to do this in a 
verifiable way). However, such a choice, if made public, may reveal the user’s 
nationality (in violation of privacy). The new group encryption primitive enables 
the user to trust her own representative, but without revealing its identity, yet 
to assure others that indeed a designated trustee has been chosen (and not a 
“faked trustee”). We believe this enhanced privacy while allowing flexibility of 
choice of trustee is an important step forward in privacy primitives. In this new 
setting two models are possible for taking keys off escrow: In the first one, each 
trustee tries to retrieve all the keys from the available ciphertext repository, and 
will be successful only when the ciphertext is his to open. In the second model, 
there is an opening authority which can open the identity of the trustee (but 
not the encrypted key, due to separation of duties). The opening authority, in 
turn, directs the ciphertext to the chosen trustee to be decrypted. Our primitive 
supports both opening models. Another scenario that is similar to the above, is 
proxy voting where users deposit their votes encrypted under the public-key of 
a proxy of their choice. A proxy is a designated trustee in this case and each 
user may prefer (or even be required due to legislation) to hide her choice when 
depositing her vote. In this manner, the proxies can be called upon later, in the 
tallying phase, to recover the votes entrusted to them. Recall that, as motivated 
above when contrasting the notion of group encryption with mere key privacy 
or verifiable encryption, if any of the security properties of group encryption is 
missing, the application loses its effectiveness, and only the combination of prov- 
ability (soundness), CCA2 security and CCA2 key privacy delivers the desired 
effect on the overall escrow system. 

Ad-Hoc Access Structure Group Signature. We may implement the 
opening authority in group encryption as a multitude of trustees and use it to 
encrypt a signing credential. In this way we can build a group signature where 
signers can organize the set of trustees to open their signature by acting on it in a 
predetermined order following an ad-hoc structure that is only partially revealed 
to the verifier (e.g., a tree or other graph). This can be achieved by cascading the 
group encryption primitive so that a sequence of hops (identity discoveries and 
transfers) will be required to recover the identity of the signer in the signature 
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opening step. This notion generalizes “hierarchical group signatures” a primitive 
introduced in P3J where the trustee access structure was determined as a fixed 
tree. This application demonstrates the power of our primitive in organizing hid- 
den structures of decrypting parties with CCA2 hiding and securing properties. 

— Secure Oblivious Retriever Storage. In the area of ubiquitous comput- 
ing, secure and anonymous credentials may move between computing elements 
(computer, mobile unit, embedded device, etc.). A user may want to pass a 
credential secretly and anonymously between devices (either between her own 
devices, or devices of her peers, all belonging to the same group). Asynchronous 
transfer that does not require all devices to be present at the same time requires 
a storage server (similar to a mail server). We can employ group encryption in 
implementing such a storage server safely, where it is guaranteed that (1) the 
server only stores valid credentials (i.e., well formed ones that can be delivered 
to a legitimate retriever and avoid being tricked into storing garbage); (2) the 
credentials are encrypted and thus the server (or anyone who may compromise 
it) cannot employ them; and (3) the identity of retrievers of credentials is hidden 
(even under active attacks, i.e. CCA2 security conditions are needed) . A device 
reading the storage can recover its credentials by scanning the storage sequen- 
tially and being successful in decrypting the credentials directed to it (with or 
without the aid of an opening authority). 

We note that group encryption is naturally related to the notion of “custodian- 
hiding verifiable encryption” that was investigated in |3HI37| and may apply in 
similar application scenarios. From the construction point of view, the focus of 
the present work is in attaining constant complexity in the group size as opposed 
to linear that was the case in this previous work. 

2 Group Encryption: Model and Definitions 

The parties involved in a GE scheme are the sender, the verifier, a group manager 
(GM) that manages the group of receivers and an opening authority (OA) that 
is capable of discovering the identity of the receiver. Formally, a GE scheme that 
is verifiable for a public-relation 1Z is a collection of procedures and protocols 
that are denoted as: SETUP, JOIN, (G r , 'll, sample^), ENC, DEC, OPEN, (V, V, recon) 
The functionality of the above procedures is as follows: the SETUP is a set of 
intialization procedures for the system, one for the GM, one for the OA and one 
to produce public-parameters (denoted by SETUPqvi, SETUPoa, SETUPinit respec- 
tively). Using their respective setup procedures, the GM and the OA will produce 
their public /secret-key pairs (pk GM ,skcM) and (pk OA ,skoA); JOIN = (J U ser,JGM) 
is a protocol between a prospective group member and the GM. After an exe- 
cution of a JOIN protocol the group member will output his public/secret-key 
pair (pk, sk); the new member’s public-key pk along with a certificate cert will be 
published in the public directory database by the GM. We will denote by £^ ram 
the language of all valid public-keys where param is a public parameter produced 
by the SETUP^t procedure. 
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To employ GE in a transaction, it is assumed that the sender (call her Al- 
ice) has obtained a pair (x,w) that is sampled according to the procedure 
sample TC (pk 7i , sk^), where pk K . sk^ are produced by the generation procedure 
Gr(l u ) that samples the public/secret parameters for the relation 7Z. We remark 
that the secret-parameter sk^ may be empty depending on the relation (e.g., in 
the case of discrete logarithm the relation is typically publicly samplable, hence 
sk tz is empty - but this is not be the case in general). The polynomial-time 
testing procedure TZ(x, w) returns true iff (x, w) belongs to the relation based 
on the public-parameter pk K . We note that given the relation TZ(-, •) it will be 
useful that it is hard to extract a “witness” w given an instance x; however this 
need not be included in the formal requirements for a GE scheme. Note that if 
verifiability is not desired from the GE, the relation TZ will be set to be the trivial 
relation that includes any string of a fixed size as a witness (and in such case x 
will be simply equal to lJ™l). 

Alice possessing the pair (x,w), she wishes to encrypt w for her chosen 
receiver, call him Bob. She obtains Bob’s certified public-key (pk, cert) from 
database, and employing the public-keys pk GM and pk 0A she encrypts w as 
ENC(pk GM , pk 0A , pk, w, L) to obtain the ciphertext ip with a certain label L (L is a 
public string bound to the ciphertext that may contain some transaction related 
data or be empty; we call it the “context” of ip). Alice will give x,ip,L to the 
verifier. Subsequently, Alice and the verifier will engage in the proof of knowl- 
edge (V, V) that will ensure the following regarding the ciphertext ip and label L: 
there exists a group member whose key is registered in the database (i.e., Bob in 
this case) that is capable of decrypting ip in context L and obtaining a value w' 
for which it holds that if w <— recon (w 1 ) we have that ( x , w) £ TZ. Note that, for 
V, V, the input to the verifier will be the values param, pk GM , pk 0A , pk K , x, ip, L, 
whereas the prover (Alice) will have as additional input the values pk, cert, w 
as well as the coin tosses used for the formation of ip. The function recon (•) 
reconstructs a witness based on the decryption of ip and may be the identity 
function. 

In the remaining of the section we give four definitions, correctness and the 
three security related properties of GE, security, anonymity, and soundness. 
For simulating two-party protocols we use the following notation: (output^ | 
output B ) (A(input A ), -B(input B ))(common_input). 

Definition 1. (Correctness) A GE scheme is correct if the following “correct- 
ness game” returns 1 with overwhelming probability. 

lU; param <— SETUP] nit (r'); (pk^sk-R.) <— (? r ( l"); (x, w) <— sample TC (pk TC , sk^). 

2. (pk GM ,sk GM ) <- SETUPgm ( param); (pk 0A ,sk 0A ) <- SETUP 0A (param); 

3. (pk, sk,cert j pk,cert) <- (J U ser, JGM(sk G M))(pk GM ). If pk £ then abort; 

4. ip <— ENC(pk GM , pk 0A , pk, cert, w, L). 

5. outi <— w = recon(DEC(sk, ip, L)). 

6. out 2 «— pk = 0PEN(sko A , [ip] oa , L). 

7. (done | out 3 ) <— {V{w, ip, coins^), V)(param, pk GM , pk 0A , pk TC , x, ip, L). 

8. if (outi = out 2 = out 3 = true) return 1. 
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As shown above the opening procedure OPEN may not operate on the ciphertext 
ip but on a substring of the ciphertext ip that is denoted by [?/>]<»; we make the 
distinction explicit as it is relevant in terms of chosen ciphertext security. 

There are three “security notions” for GE schemes: security, anonymity and 
soundness (that includes verifiability). Security and anonymity are properties 
that protect Alice (the prover) against a system that acts against her. 

Formulation of the Security Property. In our definitions we use a number 
of traditional oracles that express the nature of the interaction of the adversary 
and the system. Accordingly, we employ oracles that are stateless (those that 
maintain no state across queries) and those that are stateful. Next, we introduce 
the decryption oracle, the challenge procedures and the prover simulator oracle. 

DEC(sk, ■): This is a decryption oracle for the GE decryption function DEC. The 
value sk is a secret-key that will be clarified from the context. If ip is some 
“forbidden” ciphertext with label L that the oracle must reject we will write 
DEC^’^sk,-). 

CHj’ or (l 1 ', pk, w, L ): This a real-or-random challenge procedure for the GE encryp- 
tion scheme. It returns two values denoted as (ip, coins so that if b = 1 then 
ip t— ENC(pk GM , pk 0A , pk, cert, w, L), whereas if b = 0, ip *— ENC(pk GM , pk 0A , pk, 
cert, w', L) where w' is a plaintext sampled at random from the space of all pos- 
sible plaintexts of length l v for the encryption function (it is assumed at least 
two plaintexts exist). In either case coins^ are the random coin tosses that are 
used for the computation of ip. 

PROVEp p,(pk GM , pk 0A , pk, cert, pk n , x, w, ip, L, coins This is an oracle that if 
b = 1, it simulates an execution of the prover procedure of V of the GE scheme 
(i.e., Alice), on pk GM , pk 0A , pk, cert, pk n ,x,w,ip,L,coins^. On the other hand, 
if b = 0, it simulates the protocol V' that takes the same input as V with the 
exception of the values of w and coins ^ (the design of V is part of proving the 
security property). 

Based on the above three procedures we are ready to give the security def- 
inition, which is reminiscent of a real-or-random attack on the underlying en- 
cryption scheme. In the game below the adversary controls the GM and OA and 
all group members except the member that Alice chooses as her recipient, i.e., 
Bob. In fact, the adversary is the entity that introduces Bob into the group and 
issues a certificate for his public-key. Moreover, the adversary has CCA2 access 
to Bob’s secret-key. The adversary also selects some public relation 1Z based on 
pk TC as well as a pair (x, w). Subsequently a coin is tossed and the adversary 
either receives the encryption of w and engages with Alice in the proof of ci- 
phertext validity or the adversary receives an encryption of a random plaintext 
and engages in a simulated proof of validity. A GE would satisfy security if the 
adversary is unable to tell the difference. More formally (note that neglfy) is a 
function that for any c, is less than v~ c for sufficiently large v): 
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Definition 2. A GE scheme satisfies security if there exists a protocol V s.t. 
the “security game” below when instantiated by any PPT A, returns 1 with 
probability less or equal to 1/2+ neglfV). 

1. param <— SETUPi n it(l I/ ); (aux, pk GM , pk 0A ) <— A(param); 

2. (pk, sk, cert | aux) <— (J user , A(aux))(pk GM ); 

3. (aux, x, w, L , pk TC ) ^4. DEC ( sk -)( aux); if ( x,w ) ^ 1Z then abort; 

4. b e- {0, 1}; (ip, coins $) <— CHf or (l 1 ', pk, w, L); 

5. b* «- ^ pr OVE^ T ,,(pk G M,PkoA I pk,cert,pk TC ,x, w ,V'+,c 0 m^),DEC-(«- i >(sk,.)^ UX! ^ 

6. if b = b* return 1 else 0. 

Formulation of the Anonymity Property. In the anonymity attack the 
adversary controls the system except the opening authority. Anonymity can be 
thought of as a CCA2 attack against the encryption system of the OA. The ad- 
versary registers the two possible recipients into the PKI database and provides 
the relation and the witness to Alice. Alice will encrypt the same witness always 
as provided by the adversary but will use the key of one of the two recipients 
at random. The adversary, who has CCA2 decryption access to both recipients 
as well as the OA, will have to guess which one of the two is Alice’s choice. We 
define the following procedures: 

CHa non (pk GM , pk 0A , pk 0 , pk, , w, L): The challenge procedure receives a plaintext 
w and two public-keys pk (J , pk, , and returns two values, (ip, coins.,),) so that ip <— 
ENC(pk GM , pk 0A , pk b , certb, w, L ) and coins </, are the random coin tosses that are 
used for the computation of ip. 

USER(pk GM ): This is an oracle that simulates two instantiations of J US er, he., it is 
given pk GM and simulates two users that wish to become members of the group; 
the oracle has access to a string denoted by keys in which USER will write the 
output of the two J user instances. 

OPEN(skoA, - ) : This is an oracle that simulates the OPEN operation of the opening 
authority; recall that OPEN may not operate on the whole ciphertext ip but rather 
on substring of it that will be denoted by [ip] oa . 

Definition 3. A GE scheme satisfies anonymity if the following game instanti- 
ated for any PPT A, it returns 1 with probability less or equal 1/2 + negl(z'). 

1. param <— SETUP in it(l ! '); (P k OA> sk OA) <— SETUPoa ( param ) ; 

2. (pk GM ,sk GM ) <- SETUP G m ( param); aux <- ^USER(pk eM ),OPEN(«k 0 A,.)( skGM ) j . 

3. i/keys^ (pkojsko+ertojp^jskijcerti) then abort; 

4. (au X,X,W,L, pk n ) <- ^OPEN(sk OA ,),DEC(sk 0 ,),DEC(sk 1 ,) (aux ). 

5. if (x, w) £ 1Z then abort; b {0, 1}; 

6. ( ip, coins i CH^fpkgM.pkoA.pko^k^^L); 

7. t b *~ (pk GM ,pk 0A ,pk K ,pk b ,cert b ,x,w,ip,L,cmns^); 

8. b* <- ^(*!.),OPEN-<W‘- i >(skoA,-),DEC-«'- L >(sk 0 ,.),DEC-< p ’ I '>(sk 1 ,.) ( ' auX! ^. 

9. if b = b* return 1 else 0; 
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This completes the security definition as far as Alice is concerned. From the 
point of view of the verifier, the goal of a malicious environment in which the 
verifier operates is to provide him with a ciphertext that encrypts a witness for 
a public relation that does not open to a witness even if all the group members 
apply their decryption function to it. Immunity to this attack, which we call 
soundness, guarantees that at least one group key will open to a valid witness. 

Formulation of the Soundness Property. A soundness attack proceeds as 
follows: the adversary will create adaptively the group of recipients communi- 
cating with the GM. In this attack game, the adversary wins if, while playing 
the role of Alice, she convinces the verifier that a ciphertext is valid with re- 
spect to a public-relation 1Z of the adversary’s choice, but it holds that either 
(1) if the opening authority applies skoA to the ciphertext the result is a value 
that is not equal to a public-key of any group member, or (2) the revealed key 
satisfies pk <C^ ram . To formalize soundness we introduce the following group 
registration oracle: 

REG(sik, ■): this is an oracle that simulates Jgm, he., it is given sk G M and registers 
users in the group; the oracle has access to a string database that stores the 
public-keys and their certificates. 

Definition 4. A GE scheme satisfies soundness if the following “soundness 
game”, when instantiated with any PPT adversary A, the probability it returns 
1 is negligible. 

1. param <— SETUPinitfy’'); (pk OA ,skoA) <— SETUPoA(param); 

2. (pk GM ,sk G M) «- SETUP G M(param); 

3. (pk TC , x , ip, L, aux) <- A REG ( skGM ’ )(param, pk GM , pk 0A , sk 0A ); 

4. (aux, out) <— (A(aux), V)(param, pk GM , pk 0A , pk TC , x, ip, L)\ 

5. pk <- OPEN(skoA) [iP]ob, L) ; 

6. if pk <f database or pk (f £^ ram or ip ^ ^clph^rtPxt ^ ’ pk ° A : pk then ret. 1 else 0; 

Note that = {ENC(pk GM , pk 0A , pk, cert, u>, L) | w : (x,w) « 

7Z, (pk, cert) £ Valid}. This means that the soundness adversary wins if the key 
obtained by OA after opening is either not in the database, or is invalid, or 
the ciphertext ip is not a valid ciphertext under pk encrypting a witness for x 
under 1Z. 

A GE scheme should satisfy correctness, security, anonymity and soundness. 
Note that: (1) By defining the oracles USER and REG one can allow concurrent 
attacks or force sequential execution of the group registration process. (2) CPA 
variants of the security and anonymity definition w.r.t. either group members 
or the OA can be obtained by dropping the corresponding DEC oracles. (3) 
Soundness and security assume a trusted setup; extension to malicious setup 
can be done by enforcing trustworthy initialization by standard methods (e.g. 
threshold cryptography or ZK proofs) . 
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3 Necessary and Sufficient Conditions for GE Schemes 

Given that a G E scheme is a complex primitive it would be helpful to break down 
its construction to more basic primitives and provide a general methodology for 
constructing GE schemes. The necessary components for building a GE scheme 
will be the following: 

1. Adaptively Chosen Message Secure Digital Signature. It will be used to gen- 
erate the public-key certificates by the GM during the JOIN procedure. 

2. Public-key Encryption with CCA2 Security and Key-Privacy. We will em- 
ploy an encryption scheme ( Q e ,£,D ) that satisfies (1) CCA2-security and (2) 
CCA2-Key-privacy. We note that in public-key encryption with key-privacy 
the key-generation has two components, one called Z e that produces public- 
parameters shared by all key-holders and the key-generation Ge that given the 
public-parameter of the system produces a public/secret-key pair. Note that us- 
ing Z e is mandatory since some agreement between the receivers is necessary for 
key-privacy (at minimum all users should employ public- keys of the same length). 

3. Proofs of Knowledge. Such protocols in the zero-knowledge setting satisfy three 
properties: completeness, soundness with knowledge extraction and zero- 
knowledge. These proofs exist for any NP language assuming one-way functions by 
reduction, e.g., to the graph 3-colorability proof of knowledge j2H| ■ In certain set- 
tings, zero-knowledge proofs can be constructed more efficiently by starting with 
a honest- verifier zero- knowledge (HVZK) proof of language membership protocol 
(i.e. , a protocol that requires no knowledge extraction and it is only zero-knowledge 
against honest verifiers) and then coupling such protocol with an extractable com- 
mitment scheme (to achieve knowledge extraction) and with an equivocal commit- 
ment (to enforce zero- knowledge against dishonest verifiers, cf. ESI)- 

Modular Design of GE schemes. Consider an arbitrary relation 1Z that 
has an associated paramter generation procedure Q r and a witness sampler 
sample^. In the modular construction we will employ: (1) a digital signature 
scheme (Gs,C, V s ) that is adaptively chosen message secure; (2) a public-key en- 
cryption scheme (Z e ,G e ,£,D) that satisfies CCA2 security and Key-privacy; (3) 
two zero-knowledge proofs of language membership (defined below); to facilitate 
knowledge extraction we will employ also an extractable commitment scheme 
{Z c> i,Ci,Ti). Without loss of generality we will assume that all employed primi- 
tives operate over bitstrings. The construction of a GE scheme (SETUP, JOIN, (G r . 
U, sample^), ENC, DEC, OPEN, (V, V), recon) is as follows: 

SETUP. The SETUPinit procedure will select the parameters param by performing 
a sequential execution of Z e , Z C: i. The SETUPqvi procedure will be the signature- 
setup G s and the SETUPoa will be the encryption-setup Ge- 

JOIN. Each prospective user will execute Ge to obtain pk, sk and then engage in a 
protocol ( V p k , V p k) which is proof of language membership with the GM for the 
language £^ ram = {pk | 3sk, p : (pk, sk) C? e (param; p)}. The GM will respond 
with the signature cert <— <S(skcM , pk). 
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ENC. The procedure ENC, given a witness w for a value x such that (x, w) G 
1Z and a label L, it will return the pair ip = d f (ipi , ip % , ip $ , ipi) where ipi <— 
£(pk, w, Li), ipz £T (pk 0A , pk, L%), ipa «— Ci(cpk, pk) i/>4 Ci(cpk,cert) where 
i 1 = ^.|WI^4||iandL 2 = ^ 3 ||V'4||i. 

DEC. Given sk, a ciphertext (ipi,ip2,ip3, Vtt) and a label L, it will return 2?(sk, ipi , 

V’2||V , 3||V , 4p)- 

OPEN. Given skoA, a ciphertext (ip2,ip3,ipi) =df [V’loa and a label L it will return 

X>(sk OA ,'02,V’3||V’4]|£)- 

Finally, the protocol (V, V) is a zero-knowledge proof of language membership 
for the language: 

{(param,pk GM ,pk OA ,pk TC ,a:,Vh,V’2,V’3,V’4,£) | 3 (coins^ x) coins^ 2 , 


coins , coins ^ 4 , pk, cert, w ) : 

A(Ci(cpk, pk; coins^ 3 ) = ■03)A(Ci(cpk,cert; coins y, 4 ) = V’ 4 )A(V s (pk, cert) = true) 
A(£(pk,iu,(^2||^3||V’4|| L); coins^) = ip!) 

A(£(pk 0 A>P k > (^3 1 1 ^4 1 1 £) ; coins ' ) = ip 2 ) A ((x,w) € 1Z) 

Note that the reconstruction procedure recon will be set to simply the identity 
function. 

Theorem 1. The GE scheme above satisfies (i) Correctness, given that all in- 
volved primitives are correct and {V p k, V p k), (V, V) satisfy completeness, (ii) 
Anonymity, given that the encryption scheme for users satisfies CCA2-key- 
privacy, the encryption scheme for OA satisfies CCA2-security, the commitment 
scheme C\ is hiding and (V p k,V P k) and (V,V) are zero-knowledge. (Hi) Security, 
given that the employed encryption scheme for users satisfies CCA 2- security, the 
commitment scheme C\ is hiding and (V p k,V P k), (V,V) are zero-knowledge, (iv) 
Soundness, given that the employed digital signature scheme satisfies adaptive 
chosen message security, the commitment scheme C\ is binding and extractable 
and (V p k, Vpk) and (V,V) satisfy soundness. 

Necessity of the basic primitives. We consider the reverse of the above 
results: the existence of GE would imply public-key encryption that is CCA2 
secure and private as well as digital signature and zero-knowledge proofs for any 
NP-language. More details are given in the full version E3- 

4 Efficient GE of Discrete-Logarithms 

In this section we will consider the discrete-logarithm relation (Q&, 7£ d i, sample d |): 
Sdi given V samples a description of a cyclic group of z'-bits order and a generator 
7 of that group; TZ contains pairs of the form (x, w) where x = 7™; note that 
pk n = (desc(G),7) and sk^. is empty. Finally sample^ on input pk K selects a 
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witness w and returns the pair (x = r y w , w). In this section we will present a GE 
scheme for the above relation. Note that the results of this section can be easily 
extended to other relations based on discrete-logs such as a commitment to w. 

Design of a public-key encryption for discrete-logarithms with key- 
privacy and security. One of the hurdles in designing a GE for discrete- 
logarithms is finding a suitable encryption scheme for the group members. In this 
section we will present a public-key encryption scheme that is suitable for veri- 
fiable encryption of discrete-logarithms while it satisfies CCA2-key-privacy and 
CCA2-security. The scheme is related to previous public-key encryption schemes 
of [2414012811 911 ()j and it is the first Paillier-based public-key encryption that is 
proven to satisfy key-privacy and security against chosen ciphertext attacks. Be- 
low we give a detailed description of our public-key encryption (Z e , Q e , £, V) and 
of the accompanying intractability assumptions that ensure its properties. 

Public-parameters. The parameter selection function Z e . given l v selects a com- 
posite modulus n = pq so that n is a i^-bit number, p = 2p' + 1, q = 2q' + 1 and 
P, p' , q, q' are all prime numbers with p, q of equal size at least |_i^/2j + 1. Then it 
samples g <— Z* 2 and computes gi <— g 2n ( mod n 2 ) . Observe that (gi) with very 
high probability is a subgroup of order p'q' within Z* 2 . In such case (gi ) is a 
group that contains all square n-th residues of Z* 2 and we will call this group 
X n 2. We note further that all elements of Z* 2 can be written in a unique way 
in the form g[(l + n) v (— l) a (p2P — q%q)^ where r £ \p'q'],v £ [n\,a,l 3 £ {0, 1} 
(in this decomposition, P2 , <72 are integers that satisfy P2P 2 = q 2 1,<72<7 2 = P 2 1)- 
We will denote by Q n 2 the subgroup of quadratic residues modulo n 2 which can 
be easily seen to contain all elements of the form r/[(l + n) v with r £ Z pV and 
v £ Z„ and has order np'q' (precisely one fourth of Z* 2 and is generated by 
<7i(l + n)). Note that we will use the notation h = d f 1 + n. Finally, a second 
value <72 is selected as follows: w is sampled at random from [J] = d f {0, . . . , |_Jj } 
and we set <72 g™. A random member Ti of a universal one-way hash function 

family UOWHF is selected jSOl; the range of H is assumed to be [0,2^/ 2-2 ). The 
global parameters of the cryptosystem that will be shared by all recipients are 
equal to param = (n, <71 , <72, descTd), where descTd is the description of H. 

Key- Generation. The key-generation algorithm Q e receives the parameters (n. 
9i,92,descH), samples x\,X2,yi,yi r [\] and sets pk = ( c,d,y ) where c = 
g^g^ 2 , d = g^g^ 2 and y = g{\ the secret-key is sk = (aq, X2,yi,y2,z). Note that 
below we may include the string param as part of the pk and sk strings to avoid 
repeating it, nevertheless it should be recalled in all cases that n, <71, 52, descW 
are global parameters that are available to all parties. 

Encryption. The encryption function £ operates as follows: given the pk, a mes- 
sage w and a label L it samples r [ j] and outputs the triple (ui , U2, e, v) 
computed as follows: ui <— <7[ mod n 2 , v.2 <— gl 2 mod n 2 , e <— y r (l + n) w mod n 2 , 
v <— \\c r d rH ( Ul ’ U2 ’ e,L ^ mod n 2 1 1 where || • || : Z* 2 — > Z* 2 is defined as follows 
||x|| = x if x < n 2 / 2 and | x | = —x if x > n 2 / 2. We note that the “absolute 
value” function || • || is used to disallow the malleability of a ciphertext with 
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respect to multiplication with —1 (cf. the decryption test below). To summarize, 
encryption works as follows: 

: u 2 ^g r 2 e <— y r h m v ■>- \\c r d rU ^ Ul ’ U2 ’ e ’ L '>\\ 

Decryption. The decryption function T> given a ciphertext (ui,u 2 ,e,v) and a 
label L it performs the following checks: 

« = IWI A u 2 = («f U?) 2 « 

if all tests pass it computes m 1 = e 2 ui _2z — 1( modn 2 ) and returns {ml ■ 2 _1 mod 
n)/n, otherwise it returns _L. 

This completes the description of the cryptosystem. Observe that the cryp- 
tosystem is correct, i.e., encryption inverts decryption: indeed, assuming that 
(ui, u 2 , e, v ) •*— £T(pk, w, L), we have that m' = e 2 uf 2z — 1 = n 2 h 2w — 1 and due 
to the fact that h x = n 2 1+xn for all x E Z n we have that w' = n 2 (2 to mod n) ■ n. 
It follows that ( w ' ■ 2 _1 mod n)/n = w. 

We will next argue about the security of the cryptosystem. We note that the 
above cryptosystem has a “double trapdoor” property: for each public-key, c, d, y, 
based on parameters n, gi,g 2 , desc H, one trapdoor is the discrete-logarithm of y 
base gi, whereas the the other trapdoor is the factorization of n. Indeed given 
the factorization of n, one can easily decrypt any ciphertext (u\ . u 2 , e, v) by 
computing e p q = n 2 h p q m . Subsequently m can be computed easily similarly to 
the regular decryption function. In GE the global trapdoor will not be used and 
the factorization of n will be assumed unknown by all parties. The intractability 
assumption that will be employed is the following: 

Definition 5. The Decisional Composite Residuosity DCR assumption W\ : It 
is computationally hard to distinguish between: (i) tuples of the form ( n,u n mod 
n 2 ) where n is a composite RSA modulus and u Z* 2 , and (ii) tuples of the 
form ( n , v ) where v Z* 2 . 

Next, we prove IND-CCA2 security under the DCR. 

Theorem 2. The cryptosystem (Z e , G e . £. V) defined above satisfies CCA 2 secu- 
rity under the DCR assumption and the target collision resistance of the employed 
UOWH family. 

Interestingly, it is not clear whether the DCR can be used for proving the key- 
privacy of the cryptosystem. To see why this is the case consider the following: 
Consider the CPA version of the cryptosystem using only a single generator 
over X n 2 : in the CPA case the cryptosystem is similar to ElGamal, with cipher- 
texts pairs of the form (g r mod n 2 ,y r h m mod n 2 }. Note that IND-CPA security 
can be easily shown under the DCR assumption. On the other hand, to show 
CPA-key-privacy one has to (essentially) establish the indistinguishability of the 
distributions (g, yo, yi, g r , y^h™) and {g,yo,yi,g r ,y\h m ). It is not apparent how 
to apply DCR to prove this indistinguishability; ultimately this is because the 
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message m is the same in both of these distributions and its randomization (eas- 
ily provided by DCR) appears to be immaterial to the indistinguishability of the 
two distributions. It should be noted that since the adversary is not interested in 
the h m portion of the ciphertext he can easily cancel it out by raising everything 
to n. For this reason the power of DCR seems of little use in this case, and a 
Diffie-Hellman-like assumption in X n 2 would seem more appropriate. 

Based on the above we employ the Decisional Diffie Heilman assumption over 
the group X n 2 , denoted as DDHsqnr- Regarding the relationship between Diffie 
Heilman type of problems and the DCR we show the following theorem: 

Theorem 3. DCR =>■ CDHsqnr 

Based on the above we formulate our key-privacy theorem for the cryptosystem: 

Theorem 4. The cryptosystem ( Z,Q e ,£,T> ) defined above satisfies CCA2-key- 
privacy under the DDHsqnr assumption and the target collision resistance of the 
employed UOWH family. 

Proof of Public-Key Validity. We will employ the public-key encryption 
scheme above to build the public-key database of the GE scheme. When a user 
joins the group he will be allowed to generate a public-key and he will be re- 
quired to show that the public-key is valid. For our new cryptosystem the lan- 
guage of valid public-keys is £^. ram = {(c,d,y) \ c. d. y £ X n 2 } where param = 
(n, g \ , g-i- TL). It follows that joining will require three instances of a proof of lan- 
guage membership to the subgroup X n 2 of Z* 2 . The validity of an element y can 
be performed by executing the following steps where ho, ki £ IN are parameters 
that affect the soundness and zero-knowledge properties of the proof of language 
membership below: 

1. [User:] Select t <— {0, 1 } fc ° and transmit a<— g l mod n 2 . 

2. [GM:] Select c A {0, l} kl and transmit c. 

3. [User:] Compute s <— t — cz £ Z and transmit s. 

4 • [GM:] Verify a 2 = n , (<??) V c - 

It is easy to verify that given any prover that produces a value y and then 
executes the proof above, it must be the case that y 2 £ X n 2 with probability 
1 — 2~ kl . Note that this still allows for a slight misbehavior on the part of the 
user as he can multiply y with an element of order 2 inside Z* 2 ; while it is easy 
to add an additional step in the above proof to avoid this slight misbehavior we 
will not do so as we will show the security properties of our GE scheme without 
such guarantee. 

Construction of GE of Discrete-logarithms. We proceed to the description 
of the GE scheme SETUP, JOIN, (Qa\, ftdi, sample^), ENC, DEC, OPEN, (V, V, recon). 
First recall that from the discrete-logarithm relation, £? d i given V samples a 
description of a cyclic group of z'-bits order and a generator 7 of that group; 
7fyj| contains pairs of the form (x, w) where x = 7 ™ . Finally sample d | on input 
pk^R. = (desc(G), 7 ) selects a witness w and returns the pair (a; = 7 w ,w). 
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Parameter Selection. The procedure SETUP selects the following parameters: 
o Integer values ko,k\. 

o A safe composite n of £ n bits and generators g,g,g\,g 2 of the group X n i. 
o The description of a hash function H drawn at random from a UOWH family, 
o A prime number Q of the form A • n 2 + 1 and F. H generators of the order n 2 
subgroup of Z*q. 

o A safe composite h of bits and two generators g, y of the group X fl 2 . 
o A sequence of integers G, Yi, Y 2 , Y3 G IN of length l N . 

We stress that the above parameters are part of the trusted setup of the 
system (also referred to as the common reference string, and no participant of 
the system, including the GM, OA, or any user will know any private information 
about these values). 

SETUPoa- The procedure selects xi, X2, yi, y2, z [^-] and set pk 0A = (y, c, d) = 
{g z ,g Xl g X2 ,g yi g y2 ). 

SETUPgm- The GM will employ a digital signature {Q s , S, V s ) that must satisfy 
adaptive chosen message security and be suitable for engaging in proofs of knowl- 
edge of signed messages when the signature is committed. In our design will em- 
ploy the block signature of Camenisch and Lysyanskaya m as the underlying 
digital signature scheme (hence referred to as CL-signature). The choice of the 
digital signature is not unique to our design and other signature schemes can be 
employed as well. The key-generation procedure G s (that will be used by GM in 
SETUPgm) samples a pair (sk G M,pl<GM} where pk GM = (A 0 , Ai (C , Ai id , Ai iy ,A 2 , N) 
with N a safe composite of In bits and An Al,c( Ai )d , Ai, y , A 2 G Z* n are random 
quadratic residues in Qjy. The signing key skcM is the factorization of N. In 
addition to £n we have the parameters £ rn where [0, 2 lm ) x [0, 2 fm ) x [0, 2 im ) will 
be the message space for the signature such that n 2 < 2 trn (this is because we 
want to use the signature to sign public- keys of the encryption scheme). 

JOIN. The prospective group member submits c,d,y as generated by the en- 
cryption system (Q e . E. D) given in the beginning of the section. In particu- 
lar, recall that ( c,d,y } is defined as c «— g^g^ 2 mod n 2 ,d <— r/f 1 g'j 2 mod n 2 , 
y gf and Xi,x 2 ,yi,y2, z W\. The secret key of the user is set to the 
values xi,X2,yi,y2, z. The user engages with the GM in a proof of membership 
for the validity of c, d, y. Upon acceptance the GM will use the signing proce- 
dure S for CL-signatures that is as follows: given the message M = ( c,d,y ), 
the GM will sample R *— [0, 2 t ' N+f - m+f ) where £ is a security parameter and 
a random prime E > 2 im+l of length £ rn + 2 bits; then it will compute A = 
(AoAi c Af d A\ y A2 J ) 1|/E (modiV) (recall that the factorization of N is the sign- 
ing key). Finally the signature to M is the triple (A, E. R). 

Finally, the GM will enter (c, d, y) into the public database followed by the 
signature. Note that the GM should not allow a user to enter into database a key 
( c,d,y ) such that there is some (cj,dj,j/j) in the database already for which it 
holds that c 2 = c 2 , or d 2 = d 2 or y 2 = y 2 . Recall that the verification algorithm V s 
given a message M = ( c , d, y) and a signature (A, E. R) on it, checks whether it 
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holds that A E = AoAl c Af d Af y A R mod N and verifies all the range constraints 
on c, d, y, E , R as stated above. 

ENC, DEC and recon. Following our modular design methodology of section 01 
the GE encryption function consists of the encryption of the witness w under 
a recipient’s public-key (c, d, y) and a sequence of commitments to the public- 
key used and commitments to the certificate of this public-key. More specifically 
when Alice wants to encrypt her witness w for her public-value x = 7 ™ under 
label L she computes the following: 

1. Commitment to Certificate of Public-key. The commitment to the certificate 
of the public-key of the recipient that Alice selected is formed as follows: for 
the certificate (A, E, R) the following values are computed B = G 2u mod N, 
A = Y 2u A mod N, E = Y$ U G 2E mod N, R = Yf u G’ 2R mod N. 

2. Bridge Commitments. The “bridge commitments” will assist in the efficient 
proof of ciphertext validity. In particular Alice includes the commitments E = 
g E {l\) n mod n 2 , R = g R (l 2 ) n mod n 2 and lj e- Z„ for j = 1,2. Moreover she 
includes the commitments y = Hf F y mod Q,c = Hf F c mod Q,d = H'f F d 
mod Q. 

3. Encryption of the recipient’s public-key. Encryption of the public-key that Al- 
ice selected is formed as three ciphertexts: (f c , f c , f c • fc ), (fd-, fd , fd , fd}, (fy, fy, fy, 
fy), where each is selected as (g u “,g u ‘,y u *a,c U: ‘d u, ‘ u< - L ^) where u a A [j\, a G 
{y, c, d}, a G {y, c, d} and L' a = (f a , f a , f a , f a , L). 

4 ■ Encryption of the witness. The encryption of witness w is as follows: (u\ . U 2 , e. 
v ) (9{,9 r 2,y r h w , \\c r d rn(ui ’ U2 ’ e ’ L -' L 6,Ey)\\). 

DEC is the decryption process as defined in the beginning of the section for the 
new encryption scheme, recon is simply the identity function. 

OPEN. The opening procedure applies to the three ciphertext excluding the wit- 
ness ciphertext (item 4, above). In particular, it returns (c, d , y) = (/ c / c _z , fdff z - 
/ y /- z ) or ± depending on the outcome of the tests ff i+n ) _L £ or 

a G {y,c,d}. The owner of the public-key is identified by comparing (c 2 ,d 2 ,y 2 ) 
to all entries ( c 2 ,d 2 ,y 2 ) that are inside the database database. 

The proof of validity (V,V). This protocol will be constructed as an AND 
composition of four sub-protocols that due to lack of space presented in the full 
version m These protocols belong to a class of efficient proofs for discrete log 
relations that are very common in the design of cryptographic primitives and 
their concrete and efficient instantiation has become quite standard in the liter- 
ature. An exception perhaps is protocol # 2 which is a more complex protocol 
and is related to the “double-decker” proof of knowledge for discrete-logarithms 
lj . This protocol is the least efficient as it requires parallel repetition for 
decreasing the knowledge-error. Still, we stress that the overall communication 
is independent of the size of the group and well within practical limits. 
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Based on the above, the theorem below follows as a corollary of theorem [fl 

Theorem 5. The GE scheme for discrete-logarithms defined above satisfies (i) 

Correctness; (ii) Anonymity and (Hi) Security, under the DDHsqnr, DDH over 

Qn, DCR and the collision resistance of the UOWH family; (iv) Soundness, 

under the Strong-RSA and the DLOG assumptions. 
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Abstract. This paper describes the first identity-based broadcast en- 
cryption scheme (IBBE) with constant size ciphertexts and private keys. 
In our scheme, the public key is of size linear in the maximal size m of 
the set of receivers, which is smaller than the number of possible users 
(identities) in the system. Compared with a recent broadcast encryption 
system introduced by Boneh, Gentry and Waters (BGW), our system 
has comparable properties, but with a better efficiency: the public key 
is shorter than in BGW. Moreover, the total number of possible users in 
the system does not have to be fixed in the setup. 


1 Introduction 

Broadcast Encryption. The concept of Broadcast Encryption (BE) was intro- 
duced by Fiat and Naor in ra In BE schemes, a broadcaster encrypts messages 
and transmits them to a group of users who are listening to a broadcast chan- 
nel and use their private keys to decrypt transmissions. At encryption time, the 
broadcaster can choose the set S of identities that will be able to decrypt mes- 
sages. A BE scheme is said to be fully collusion resistant when, even if all users 
that are not in S collude, they can by no means infer information about the 
broadcast message. 

Many BE systems have been proposed |2 ,‘112 011 Dll Oil Rj . The best known fully 
collusion systems are the schemes of Boneh, Gentry and Waters m which 
achieve 0(^/n)- size ciphertexts and public key, or constant size ciphertexts, 
0(n)-size public key and constant size private keys in a construction that we 
denote by BGWi in the following. A lot of systems make use of the hybrid 
(KEM-DEM) encryption paradigm where the broadcast ciphertext only encrypts 
a symmetric key used to encrypt the broadcast contents. We will adopt this 
methodology in the following. 

Dynamic Broadcast Encryption. The concept of Dynamic Broadcast Encryption 
(DBE) was introduced by Delerablee, Paillier and Pointcheval in [El- A DBE 
scheme is a BE in which the total number of users is not fixed in the setup, with 
the property that any new user can decrypt all previously distributed messages. 
Thus a DBE scheme is suitable for some applications, like DVD encryption. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 200-1215] 2007. 
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Nevertheless, some applications like Video on Demand (VOD) need forward 
secrecy. This paper address this problem, in the identity-based setting. 

ID-based, Encryption. In 1984, Shamir m asked for a public key encryption 
scheme in which the public key can be an arbitrary string. 

Since the problem was posed in 1984, there have been several proposals for 
Identity-Based Encryption (IBE) schemes. However, we can considerer that the 
first practical IBE scheme was introduced by Boneh and Franklin in 2001 (S|. 
Since 2001, several schemes have been introduced jl4l2till2l8l7IKI17j . Concerning 
the security, there are mainly two definitions: 

1. Full security, which means that the attacker can choose adaptively the iden- 
tity he wants to attack (after having seen the parameters); 

2. Selective-ID security, which means that the attacker must choose the iden- 
tity he wants to attack at the beginning, before seeing the parameters. The 
Selective-ID security is thus weaker than full security. 

Since the scheme in 0 is proved secure in the random oracle model, several 
papers have proposed systems secure without random oracles. In one of 
the systems has short parameters and tight security reduction, in the standard 
model (proved secure against selective-ID adversaries). In fT7| . Gentry proposed 
the first IBE system that is fully secure without random oracles, has short public 
parameters and has a tight security reduction. 

Multi-receiver ID-based Key Encapsulation (mID-KEM). A multi-receiver key 
encapsulation scheme (mKEM) is an efficient key encapsulation mechanism for 
multiple parties. This notion was introduced in (25|. Note that this notion is 
different from multi-recipient public key encryption |4l5l22j . where the sender 
wants to send one (different) message to each receiver. 

Later, in j2j and 0- the notion of mKEM was extended to multi-receiver 
identity-based key encapsulation (mID-KEM), i.e. mKEM in the identity-based 
setting. In |2j and (3) . the ciphertext size grows with the number of receivers. 
In [Ej, Chatterjee and Sarkar achieved a controllable trade-off between the ci- 
phertext size and the private key size: ciphertexts are of size |<S|/iV, and private 
keys are of size N where S is the set of receivers and N a parameter of the 
protocol (which also represents, in the security reduction, the maximum number 
of identities that the adversary is allowed to target). Thus they introduced the 
first mID-KEM protocols to achieve sub-linear ciphertext sizes. Very recently, 
Abdalla et al. proposed in P a generic construction that achieves ciphertexts of 
constant size, but private keys of size 0(n max 2 ). 

In the following, we do not employ the term “mID-KEM” anymore, but we 
talk about “identity-based broadcast encryption” (IBBE), to emphasize that this 
notion is close to broadcast encryption and ID-based encryption. We consider 
IBBE as a natural generalization of IBE. Indeed, in IBE schemes, one public key 
can be used to encrypt a message to any possible identity. In an IBBE scheme, 
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one public key can be used to encrypt a message to any possible group of s 
identities. Consequently, if we set s = 1, the resulting IBBE scheme is an IBE 
scheme. The trivial solution to construct an IBBE scheme would be to use an IBE 
scheme to encrypt the message once for each identity. The resulting ciphertext 
would be of size linear in s. We also see IBBE as a way to make broadcast 
encryption more practical. 

Motivations. We focus on schemes with ciphertexts of constant size. In BGWi, 
as we said before, the public key is linear in the total number of decryption keys 
that can be distributed. Moreover, this number is fixed in the setup. Thus one 
of our motivations is to introduce a system in which the number of possible 
decryption keys is not fixed in the setup, and thus does not have any impact on 
the size of the public key. In m and P, the trade-off between the ciphertext 
size and the private key size implies that if we want to have short ciphertexts, 
the private keys cannot be of constant size. Thus we would like to have both 
ciphertexts and private keys of constant size (as in BGWi). Note that in some 
systems like the HIBE scheme in |HJ, the size of the public key can be reduced 
by using a hash function, viewed as a random oracle in the security proof, but 
this is not the case in BGWi, because all the elements of the public depend on 
a single value. 

Our contributions. In this paper, we propose the first identity-based broad- 
cast encryption scheme with constant size ciphertexts and private keys. Our 
construction is a Key Encapsulation Mechanism (KEM), thus long messages can 
be encrypted under a short symmetric key. In our solution, ciphertexts and pri- 
vate keys are of constant size, and the public key is linear in the maximal value of 
s. Moreover, in our scheme, the Private Key Generator ( VK.Q ) can dynamically 
add new members without altering previously distributed information (as in IBE 
schemes). We also note that there is no hierarchy between identities, contrary 
to HIBE (Hierarchical IBE j21H8l8j b No organization of the users is needed to 
have short ciphertexts. Note that the public key is linear in the maximal size 
of S, and not in the number of decryption keys that can be distributed, which 
is the number of possible identities. The following framework is an example to 
show the benefits of our solution: The V1CQ can send short term decryption 
keys. Then sending a new decryption key could be conditional (each month, if 
the user pays his bill for example), without affecting the performances of the 
system. Indeed, there is no need to revoke previous keys, because the encryption 
takes into account the set of users who can decrypt. We can compare our scheme 
with BGWi in such a situation: if we consider that the number of users who 
can decrypt is s, and that each user receives a new key at the end of each time 
period, then the size of the public key in BGWi would be Ap« = s-t with t the 
number of time periods for example. In our scheme, we have Ap« = s. Thus one 
can note that BGWi is not really suited to such an situation (the public key 
would grow linearly with the number of time periods). In other words, in BGWi, 
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the public key is linear in the number of private keys that can be distributed, 
whereas in our construction, the public key is linear in the maximal number of 
receivers of a ciphertext, which is independent of the number of private keys that 
can be distributed. Indeed, in our case, the number of possible private keys is the 
number of possible identities. Note that if there are n receivers and it happens 
that n > m, we can just concatenate several encryptions together and get n/m 
size ciphertexts (as in US!), still with constant size private keys. Moreover, in 
our construction, ciphertext size is deterministic whereas PI makes probabilistic 
efficiency claims. 


2 Preliminaries 

We propose a formal definition of an identity-based broadcast encryption scheme 
and security notions that we associate to it. We basically include an Extract 
procedure in the definition of Broadcast Encryption given in m- Our formal 
model can also be viewed as a generalization of classical IBE systems. Concerning 
the security, we follow the definition of the classical security notions for BE 
(security against static adversaries) [H3| , which is close to the notion of selective- 
ID security, used in [61111 . 


2.1 Identity-Based Broadcast Encryption (IBBE) 

An IBBE scheme involves an authority: the Private Key Generator ( VICQ ). The 
VICQ grants new members capability of decrypting messages by providing each 
new member (with identity IDj) a decryption key sk| D ,. The generation of skiDj 
is performed using a master secret key MSK. The broadcaster encrypts mes- 
sages and transmits these to the group of users via the broadcast channel. In 
a (public-key) IBBE encryption scheme, the broadcaster does not hold any pri- 
vate information and encryption is performed with the help of a public key PK 
and identities of the receivers. Following the KEM-DEM methodology, broad- 
cast encryption is viewed as the combination of a specific key encapsulation 
mechanism (a Broadcast-KEM) with a symmetric encryption (DEM) that shall 
remain implicit throughout the paper. More formally, an identity-based broad- 
cast encryption scheme TBBE with security parameter A and maximal size m of 
the target set, is a tuple of algorithms TBBE = (Setup, Extract, Encrypt, Decrypt) 
described as follows: 

Setup(A, to). Takes as input the security parameter A and m the maximal size 
of the set of receivers for one encryption, and outputs a master secret key 
MSK and a public key PK. The VICQ is given MSK, and PK is made public. 

Extract(MSK, IDj). Takes as input the master secret key MSK and a user identity 
IDj. Extract generates a user private key skiDj. 

Encrypt(iS, PK). Takes as input the public key PK and a set of included identities 
S = {IDi, . . . , ID S } with s < m, and outputs a pair (Hdr, K), where Hdr is 
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called the header and K G K and /C is the set of keys for the symmetric 
encryption scheme. 

When a message M G {0, 1}* is to be broadcast to users in S, the 
broadcaster generates (Hdr, K) <— Encrypt(S, PK), computes the encryption 
Cm of M under the symmetric key K G 1C and broadcasts (Hdr, S, Cm)- We 
will refer to Hdr as the header or broadcast ciphertext, (Hdr, S) as the full 
header, K as the message encryption key and Cm as the broadcast body. 

Decrypt(iS, ID, skio, Hdr, PK). Takes as input a subset S = {IDi, . . . , ID S } (with 
s < to), an identity ID and the corresponding private key skio, a header 
Hdr, and the public key PK. If ID G S, the algorithm outputs the message 
encryption key K which is then used to decrypt the broadcast body Cm and 
recover M. 

Remark. This model defines, when m = 1, an IBE system. 

2.2 Security Notions for IBBE 

The standard notion for BE schemes is Chosen Ciphertext Security against Static 
Adversaries. For IBE, one standard notion is selective-ID security (weaker than 
full security), where the adversary must choose at the beginning of the game the 
set of identities he wants to attack. 

Remark. Note that for m = 1 the following security model fits with IND-sID- 
CCA security for IBE schemes, that is used in P for example. 

IND-sID-CCA Security. We define IND-sID-CCA security of an IBBE system. 
Security is defined using the following game between an adversary A and a 
challenger. We basically refine the definition of m, by adding extraction queries. 
Both the adversary and the challenger are given as input to, the maximal size 
of a set of receivers S. 

Init: The adversary A first outputs a set S* = {ID), . . . , ID*} of identities that 
he wants to attack (with s < to). 

Setup: The challenger runs Setup(A, to) to obtain a public key PK. He gives A 
the public key PK. 

Query phase 1: The adversary A adaptively issues queries qi , . . . , q So , where 
Qi is one of the following: 

• Extraction query (IDj) with the constraint that ID,; ^ S *: The challenger 
runs Extract on IDj and forwards the resulting private key to the adver- 
sary. 

• Decryption query, which consists of a triple (IDj, S, Hdr) with S C S* and 
IDj G S. The challenger responds with Decrypt(<S, ID*, sk| Di , Hdr, PK). 

Challenge: When A decides that phase 1 is over, the challenger runs Encrypt 
algorithm to obtain (Hdr", K) = Encrypt (5*, PK) where K e /C. The chal- 
lenger then randomly selects b <— {0, 1}, sets Kb = K, and sets Ki-b to a 
random value in 1C. The challenger returns (Hdr*, K 0) Ki) to A. 
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Query phase 2: The adversary continues to issue queries q So +i ■ ■ . ■ , q a where 
Qi is one of the following: 

• Extraction query (IDj), as in phase 1. 

• Decryption query, as in phase 1, but with the constraint that Hdr Hdr*. 
The challenger responds as in phase 1 . 

Guess: Finally, the adversary A outputs a guess b' e {0, 1} and wins the game 
if b = V. 

We denote by qo the total number of Decryption queries and by t the total 
number of extraction queries that can be issued by the adversary during the 
game. Viewing t, to, qn as attack parameters, we denote by Ad m'xbbs (f, to, qo,A) 
the advantage of A in winning the game: 

Advjg B£ (t, m, qr>,A) = \2 x Pr[6 ; = 6] — 1| = |Pr[f/ = 1|6 = 1] — Pr[f/ = 1 1 6 = 0] | 

where the probability is taken over the random coins of A, the challenger and 
all probabilistic algorithms run by the challenger. 

Definition 1. Let Adv^ Ba£ (t, m, qn) = max^ Adv (i, m, qn , A) where the 
maximum is taken over all probabilistic algorithms A running in time poly (A). 
An identity-based broadcast encryption scheme IBBE is said to be (t, m, qo)- 
IND-sID-CCA secure if M\i'fg B£ {t. to, qo) = negl(A). 

IND-sID-CPA. Analogously to jl()| . we define semantic security for an IBBE 
scheme by preventing the attacker from issuing decryption queries. 

Definition 2. We say that an identity-based broadcast encryption system is 
( t,m)-IND-sID-CPA secure if it is ( t,m,0)-IND-sID-CCA secure. 

Remark. In m , the choice of S* implies a choice of corrupted users, because 
the total number of users is fixed in the setup. In the model we described before, 
the corrupted users are not chosen at the beginning but adaptively. We describe 
below a modification of our model which does not allow adaptive corruptions, 
as in PJij . 

Definition 3. ( t,m,qD)-IND-na-sID-CCA security (non adaptive sID): at ini- 
tialization time, the attacker outputs a set S* = { /O^ , . . . , /D*} of identities that 
he wants to attack, and a set C = {/Di, . . . , ID t } of identities that he wants to 
corrupt (i.e. to obtain the corresponding private key). Thus the attacker issues t 
extraction queries only at the beginning of the game. 

Definition 4. We say that an identity-based broadcast encryption system is 
(t,m)-IND-na-sID-CPA secure if it is ( t,m,0)-IND-na-sID-CCA secure. 

Full collusion resistance. In an IBBE system, the number of possible users (iden- 
tities) does not have to be fixed at the beginning, thus we cannot really talk about 
full collusion resistance. If the number n of possible users was fixed, as in mu for 
example, our construction would be fully collusion resistant. 
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2.3 Bilinear Maps 

We briefly review the necessary facts about bilinear maps. Let Gi, G2 and G t be 
three cyclic groups of prime order p. A bilinear map e (-, ■) is a map Gi XG2 — > G t 
such that for any generators gi £ Gi, 52 € G2 and a. b £ Z p , 

• e(gi a ,g 2 b ) = e(0i,0 2 ) a6 (Bilinearity) 

• e (51,02) ¥= 1 (Non-degeneracy). 

A bilinear map group system B is a tuple B = (p, Gi, G2, G t, e (-, •)), composed 
of objects as described above. B may also include group generators in its de- 
scription. We impose all group operations as well as the bilinear map e (•, •) to 
be efficiently computable, i.e. in time poly(|p|). 

As seen later, we make use of an arbitrary bilinear map group system in our 
constructions. In particular, we do not need Gi and G2 to be distinct or equal. 
Neither do we require the existence of an efficient isomorphism going either way 
between Gi and G2, as it is the case for some pairing-based systems. 

2.4 The General Diffie-Hellman Exponent Assumption 

As in ca. we make use of the generalization of the Difhe-Hellman exponent as- 
sumption due to Boneh, Boyen and Goh [B| . They introduced a class of assump- 
tions which includes a lot of assumptions that appeared with new pairing-based 
schemes. It includes for example DDH (in G t), BDH, q— BDHI, and q — BDHE 
assumptions. 

We give an overview in the symmetric case. Let then B = (p, Gi, G2, G y, e (-, •)) 
be a bilinear map group system such that Gi = G2 = G. Let go £ G be a 
generator of G, and set g = e{go,go) € Gy- Let s, n be positive integers and 
P,Q £ F p [Xi . . . . , X rt ] s be two s-tuples of n - variate polynomials over F p . Thus, 
P and Q are just two lists containing s multivariate polynomials each. We write 
P = (pi,p2j • • • ,Ps) and Q = (01, 02, • • • ,q s ) and impose that Pi = qi = 1 . For 
any function h : F p — > f 2 and vector (»!,..., x n ) £ F p , h(P(x 1, . . . , x n )) stands 
for ( h(p\{x \ , . . . , x n )), . . . , h(p s (x 1, . . . , x n ))) £ f 2 s . We use a similar notation 
for the s-tuple Q. Let / £ F p [Ai, . . . , X n ], It is said that / depends on (P, Q), 
which we denote by f £ (P, Q), when there exists a linear decomposition 

/ = o,ij ■ pi ■ pj + ^2 &*•?*! a i,j > bi £Z P . 

1 <i,j<s 1 <i<s 

Let P, Q be as above and / £ F p [Xl, . . . , X n ], The (P, Q, /)-General Diffie- 
Hellman Exponent problems are defined as follows. 

Definition 5 ((P, Q, /)-GDHE). Given the tuple 

H(X l,...,X n )= (^g Q P { x ^-^n) g Q{xi,...,x n )^ 

compute gf( xi ’—’ x ”). 
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Definition 6 ((P, Q, /)-GDDHE). Given H(x i,...,x n ) e G s x Gf, as above 
and T 6 Gt, decide whether T = g ^ x 1 

We refer to jHj for a proof that (P, Q, /)-GDHE and (P, Q, /)-GDDHE have generic 
security when / ^ (P, Q). We will prove our constructions are secure based on 
the assumption that (P, Q, /)- GDDHE is intractable for any / ^ (P, Q) and 
polynomial parameters s,n = poly(A). We just have to determine P, Q and /, 
such that we can perform our simulation, and then proving the condition on the 
polynomials will prove the intractability of our problem (because as seen before, 
the (P, Q. /)-GDDHE problem is hard for any choice of P, Q and / which satisfy 
the aforementioned condition). 

3 Our Construction 

3.1 Description 

In this section, we present our new IBBE, with constant size ciphertexts and 
private keys. 

Setup(A,m). Given the security parameter A and an integer m, a bilinear map 
group system B = (p, G i,G 2, Or, e (■,•)) is constructed such that |p| = A. 
Also, two generators g G Gi and h € G2 are randomly selected as well as a 
secret value 7 G Z*. Choose a cryptographic hash function H : { 0 , 1 }* — > Z*. 
The security analysis will view H as a random oracle. B and hi constitute 
system public parameters. The master secret key is defined as MSK = ( g , 7). 
The public key is PK = (w, v, h, h 1 , . . . , /p m ) where w = g 1 , and v = e (g, h). 
Extract(MSK, ID). Given MSK = (g, 7) and the identity ID, it outputs 
sk| D = gTpkm 

Encrypt(iS, PK). Assume for notational simplicity that S = { I D j }j = i , with s < 
m. Given PK = ( w , v. h, K 1 , . . . , h 1 ) , the broadcaster randomly picks k <— 
Z* and computes Hdr = (C\, C^) and K where 

Cj. = w~ k , C 2 = h k - nU(7+W(ID«)) f K = v k . 

Encrypt outputs (Hdr, If). (Then K is used to encrypt the message) 
Decrypt(iS, ID;, skip,, Hdr, PK). In order to retrieve the message encryption key 
K encapsulated in the header Hdr = (Ci, C2), user with identity ID; and the 
corresponding private key sk|D,; = rp+«(' D . ) (with ID; G S ) computes 

K = (e • e (sk, Di , C 2 )) 

with 

^,5(7) = ^ • f n (7 + H(iDj)) — n n( id,) 
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Correctness: Assuming C is well- formed for S: 

K' := e (C^h^^y e{sk lDi ,C 2 ) 

= e{g- k ^,h Pi - s ^ ■ e ( 5 ^+«W, /^n^G-t-WOD.,))^ 

= e (g, ■ e(g,h) kW i=^* i{l+H{ ' Dj)) 

= e(g,h) k n;=i.^w('Di) 

= 

Thus = A". 

Efficiency. Our construction achieves 0(l)-size ciphertexts, 0(m)-size public 
keys and constant size private keys. Note that public key is linear in the maximal 
size of S, and not in the number of decryption keys that can be distributed. If 
we would like to fix the total number n of users, and set m = n, then we would 
reduce the public key size by a factor of two from BGW. Note also that as we 
said before, the broadcaster has to send the set S of identities that are included 
in the ciphertext. This set is needed to decrypt, as in previous schemes, thus it 
is counted in the full header, but not in the header. 


3.2 Security Analysis 

We prove the IND-sID-CPA security of our system by using the GDDHE 
framework of jH|. We start by defining the following intermediate decisional 
problem. 

Definition 7 ((/, g, F)-GDDHE). Let B = (p,Gi,G 2 ,GT,e (■,•)) be a bilinear 
map group system and let f and g be two coprime polynomials with pairwise 
distinct roots, of respective orders t and n. Let go be a generator of Gi and ho a 
generator 0 /G 2 . Solving the (/, g. T)-GDDHE problem consists, given 

go , go 7 go 7 , go 7 '^ 7 ^ , g 0 fc -T/(7) » 

ho , ho 7 > • • • , ho 7 , ho k 9 ^ , 

and T e Gt, in deciding whether T is equal to e (go, ho) k or to some random 
element of Gt- 

We denote by Adv sddhe (/, g. F, A) the advantage of an algorithm A in distinguish- 
ing the two distributions and set Adv gddhe (/, g, F) = max _4 Adv gddhe (/, g, F, A) 
over poly(|p|)-time A’s. 

The following statement is a corollary of Theorem |2| which can be found in 
Appendix 0 This corollary concerns the case where the polynomials are of the 
form described above (see the reformulation of the problem in Appendix 0) . 
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Corollary 1 (Generic security of (/, g, F)-GDDHE). For any probabilistic 
algorithm A that totalizes of at most q queries to the oracles performing the 
group operations in Gi, G 2 , Gt and, the bilinear map e (■,■), 


Ad v gMbe (f,g,F,A) < 


( q + 2 (n + t + 4) + 2) 2 • d 
2 P 


with d = 2 • max(n, t + 1). 


IND-sID-CPA Security. Let 2BB£ denote our construction as per Section 0 We 
state: 

Theorem 1. For any n,t, we have M\i™ BB£ (t,ri) < 2 • Adv gddhe (/, g, F). 

The rest of this section is dedicated to proving Theorem 0 To establish the 
semantic security of 2 BBS against static adversaries, we assume to be given 
an adversary A breaking it under a (t, n)-collusion and we build a reduction 
algorithm 1Z that distinguishes the two distributions of the (f,g,F)- GDDHE 
problem. 

Both the adversary and the challenger are given as input n, the maximal size 
of a set of included users S, and t the total number of extraction queries and 
random oracle queries that can be issued by the adversary. 

Algorithm 1Z is given as input a group system B = (p, Gi, G 2 , Gt, e (-, •)), and 
a (/,<?, F)-GDDHE instance in B (as described in Definition 0) ■ We thus have / 
and g two coprime polynomials with pairwise distinct roots, of respective orders 
t and n, and 1Z is given 

go , go 7 , ■ ■ • , , <?o 7 ' /(7) , go k j fM , 

h 0 , ho 7 , . . . , ho^ , h 0 hgM , 

as well as T e Gt which is either equal to e(go,ho) k or to some random 
element of Gt- 

For simplicity, we state that / and g are unitary polynomials, but this is not 
a mandatory requirement. 

Notations 

• f(x) = n-=i(* + *0. am = n‘5Vi(* + xi) 

• fi( x ) = x+xt f° r i € [1, t], which is a polynomial of degree t — 1 

• gt(x) = for i G [t + 1, t + n], which is a polynomial of degree n — 1 

Init: The adversary A outputs a set S* = (ID*, . . . , ID*,} of identities that he 
wants to attack (with s* <n). 

Setup: To generate the system parameters, 1Z formally sets g = (i-e. with- 

out computing it) and sets 
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h = h 0 nii?+.»+l('H~«) j W = g Q 7'/(7) = gl y 

v = e (g 0 , /i 0 ) / ^-ni+ 3 *+ i(7+^i) _ e ( 5) /j) . 

7?. then defines the public key as PK = (w. v. h, hA , . . . , h 7 ” ). Note that 1Z 
can by no means compute the value of g. 1Z runs A on the system parameters 
(. B , H) and PK, with 7d a random oracle controlled by 1Z described below. 

Hash Queries: At any time the adversary A can query the random oracle 
on any identity IDj (at most t — qE times, with qe the number of extrac- 
tion queries). To respond to these queries, 1Z maintains a list Cu of tuples 
(ID,,:Ej,sk|Di) that contains at the beginning: 

*)}■=! , {(IDi.a*, 

(we choose to note an empty entry in £h)- When the adversary issues 
a hash query on identity ID,, 

1. If IDj already appears in the list C-n, A. responds with the corresponding 

Xi . 

2. Otherwise, 1Z sets 7T (I D, : ) = x j, and completes the list with (IDj, £j, *). 
Query phase 1: The adversary A adaptively issues queries qi , . . . , q m , where 

qi is an Extraction query (IDj): The challenger runs Extract on ID, ^ S* and 
forwards the resulting private key to the adversary. To generate the keys, 

• if A has already issued an extraction query on IDj, 7 Z responds with the 
corresponding sk| D , in the list £«. 

• else, if A has already issued a hash query on IDj, then 1Z uses the corre- 
sponding Xi to compute 

sk|Di = = g~r+n0°i) 

One can verify that skio, is a valid private key. 1Z then completes the list 
Cu with skiDj for IDj. 

1. Otherwise, 1Z sets 7f(ID, : ) = aq, computes the corresponding skiDj exactly 
as above, and completes the list Cu for IDj. 

Challenge: When A decides that phase 1 is over, algorithm 1Z computes Encrypt 
to obtain (Hdr*,if) = Encrypt(S*, PK) 

C'i=fl , o _fc ' 7 ' /(7) , C 2 = h 0 k 9M , K = T n ^V»*+i*‘-e ( flo fe ' 7 ' /(7) , h a qM ) 

with q(i) = | • (n‘iv+i(7+^) - riii"+ s *+i *<)• 

One can verify that: 

Cl = w~ k , C 2 = /i 0 fe ' n ‘="+‘-*+ l(7+a:i) ' n ‘=‘+ l(7+a:i) = h k - n, ! i*+iC7+W(ibf» . 
Note that if T = e (go, ho) k '^' y \ then K = v k . 
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The challenger then randomly selects b «— {0,1}, sets Kb = K, and sets 
K[ _ i, to a random value in 1C. The challenger returns (Hdr*. Kq. K\) to A. 

Query phase 2: The adversary continues to issue queries q m +i , ■ ■ ■ ,1e where 
qi is an extraction query (IDj) with the constraint that ID, ; ^ S* (identical 
to phase 1). 

Guess: Finally, the adversary A outputs a guess b' G {0, 1} and wins the game 
if b = V. 


One has 

Ad v gddhe (/, g, F, K) = Pr[6 7 = b\ real] - Pr [b' = b| rand] 

= i x (Pr[6 7 = 1 1 6 = 1 A real] — Pr[6 7 = 1|6 = 0 A real]) 

— i x (Pr[6 7 = 1 1 6 = 1 A rand] + Pr[6 7 = 1|6 = 0 A rand]) . 

Now in the random case, the distribution of b is independent from the adversary’s 
view wherefrom 

Pr[6 7 = 1|6 = 1 A rand] = Pr[i> 7 = 1|6 = 0 A rand] . 

In the real case however, the distributions of all variables defined by 1Z per- 
fectly comply with the semantic security game since all simulations are perfect. 
Therefore 

Advxg B£ (t,n, A) = Pr[£/ = 1|6 = 1 A real] - Pr[6 7 = 1|6 = 0 A real] . 

Putting it altogether, we get that Adv gddhe (/, g, F, 1Z) = \ ■ Advjg B£ (t, n, ^)- 

Remark. Note that if the attacker makes less key derivation queries than random 
oracle queries, we generate keys that we never give out, but this is not a problem. 

About chosen-ciphertext attacks. The Cannetti, Halevi, and Katz result 
applies here. Just making one of the identities that we broadcast to derive from 
a verification key of a strong signature scheme. Then it can be used to sign the 
ciphertext. 

Removing the Random Oracle Model. One way to remove the random 
oracle model could be to randomize the private key extraction as follows: For 
an identity IDj, skioj = g " ,+IDi could be replaced by Aj = g-/+ ,D i+ r i " , with a an 
element of MSK and r,; chosen by the V1CQ. Note that this randomization has 
already been employed in jOj . 

Note also that we could easily obtain IND-na-sID-CPA without random or- 
acles by using an assumption which is not fully non-interactive. Indeed, dur- 
ing the setup, if the algorithm is given a (/, g, F)-GDDHE instance, with g that 
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corresponds to the target set and / to the corrupted set (chosen by the attacker 
at initialization), then the rest of the proof can be done without any oracle. 

4 Conclusion 

We introduced the first identity-based broadcast encryption (IBBE) scheme with 
constant size ciphertexts and private keys. One interesting open problem would 
be to construct an IBBE system with constant size ciphertexts and private keys 
that is secure under a more standard assumption, or which achieves a stronger 
security notion, equivalent to full security in IBE schemes. 
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A Intractability of (f,g,F )~ GDDHE 

In this section, we prove the intractability of distinguishing the two distributions 
involved in the (/, g, F)-GDDHE problem (cf. Corollary QJ section 14. 21) . We first 
review some results on the General Difhe-Hellman Exponent Problem, from jHj . 
In order to be the most general, we assume the easiest case for the adversary: 
when Gi = G2, or at least that an isomorphism that can be easily computed in 
either one or both ways is available. 

Theorem 2 (|H|). Let P,Q G ¥ p [Xi . . . . , X rn ] be two s-tuples ofm-variate poly- 
nomials overFp and let F £ F p [Xi, . . . , X m ]. Let dp (resp. dQ,dp) denote the 
maximal degree of elements of P (resp. ofQ,F) andpose d = max(2dp, dq, dp). 
If F (P, Q) then for any generic-model adversary A totalizing at most q queries 
to the oracles (group operations in G,Gp and evaluations of e) which is given 
H(x 1, . . . , x m ) as input and tries to distinguish g F from a random value 
in Gt, one has 

Adv(A) < (9 + 25 0 +2)2 ' d . 

Proof (of Corollary QJb In order to conclude with Corollary 0 we need to prove 
that the (/, <?, F)-GDDHE problem lies in the scope of Theorem 0 As already 
said, we consider the weakest case Gi = G2 = G and thus pose ho = go 0 - Our 
problem can be reformulated as (P, Q, F)-GDHE where 

p _ /1)7>7 2 j • • • 7-/(7),fc'7-/(7A 

\ A P ' hP ' 7 2 , •*•»$* 7 2 ", k-P-g{ i)) 

Q= 1 

F = k-0-f( 7), 

and thus m = 3 and s = t + n + 4. We have to show that F is indepen- 
dent of ( P,Q ), i.e. that no coefficients anf l 61 exist such that F = 

X^ij=i a i,jPiPj + E fc =i biqi where the polynomials Pi and q\ are the one listed 
in P and Q above. By making all possible products of two polynomials from P 
which are multiples oik- (3, we want to prove that no linear combination among 
the polynomials from the list R below leads to F: 

(k-P-ry- f(y), k ■ p ■'y 2 ■ f(y), ■ • • , k ■ p ■ j n+1 ■ f{py) ,\ 

R= k-p-g (7), k- P-'y- g{i),..., k ■ P ■ ■ 5(7) 

V k • 0* 7 • f(y)g(i) ) 

Note that the last polynomial can be written as k ■ p- 7 • / (7)5(7) = y i'^' 

P ‘ 7* +1 ‘ f{l)-> and thus as a linear combination of the polynomials from the first 
line. We therefore simplify the task to refuting a linear combination of elements 
of the list R' below which leads to /( 7): 


g = (l ■ /(7), 7 2 • /( 7), • • • , 7 n+1 • /( 7),' 
VS(7), 7-5(7),- 7 t_1 ’ 5 ( 7 ) 
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Any such linear combination can be written as 

/(t) = A {l) ■ f{l) + B{i) ■ g{ 7) 

where A and B are polynomials such that A(0) = 0, deg A < n + 1 and deg B < 
t — 1. Since / and g are coprime by assumption, we must have / | B. Since 
deg / = t and deg B < t — 1 this implies B = 0. Hence A = 1 which contradicts 
A(0) = 0. □ 
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Abstract. This paper presents a novel mode of operation of compres- 
sion functions, intended for dedicated use as a message authentication 
code (MAC.) The new approach is faster than the well-known Merkle- 
Damgard iteration; more precisely, it is (1 + c/6)-times as fast as the 
classical Merkle-Damgard hashing when applied to a compression func- 
tion h : (0, l} c+! ' — * {0, 1} C . Our construction provides a single-key 
MAC with provable security; we show that the proposed scheme yields a 
PRF (pseudo-random function)-based MAC on the assumption that the 
underlying compression function h satisfies certain PRF properties. Thus 
our method offers a way to process data more efficiently than the conven- 
tional HMAC without losing formal proofs of security. Our design also 
takes into account usage with prospective compression functions; that is, 
those compression functions h with relatively weighty load and relatively 
large c (i.e., “wide-pipe”) greatly benefit from the improved performance 
by our mode of operation. 

Keywords: Merkle-Damgard, pseudo-random function, related-key at- 
tack, message authentication code, hash function, compression function, 
mode of operation, NMAC, HMAC. 


1 Introduction 

The Merkle-Damgard iteration jlfillO) is a popular and classical mode of op- 
eration for cryptographic hash functions. It is widely used not only for key- 
less hash functions but also for randomized hash functions, message authen- 
tication codes (MACs) and pseudo-random functions (PRFs.) It is popular, 
widespread and successful in some respects, but nowadays some problems are be- 
coming more and more evident, which initiates investigation into better modes of 
operation lIlEl- 

Inspired by this trend, in this paper we free ourselves from the traditional 
Merkle-Damgard iteration and devise a novel mode of operation that can be 
used exclusively as a secure, single-keyed MAC. Our method is the first of its 
kind that can process a message more efficiently than the conventional Merkle- 
Damgard iteration and that can be provided with formal proofs of security. More 
precisely, the proposed scheme is (1 + c/6) -times faster than the conservative 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 216 |-231,| 2007. 
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Merkle-Damgard hashing (and hence HMAC j2|), when applied to a compression 
function h : {0, l} c+b — > {0, 1} C . For example, with the compression function 
sha256 : {0, i} 256 + 512 — > {o, l} 256 ^he new me thod yields a 50% increase in 
performance as compared to HMAC. As to the security of our new scheme, 
we obtain results that are similar to the recent ones of NMAC and HMAC 
0; namely, we prove that the proposed mode of operation results in a PRF- 
based MAC whose security relies on the pseudo-randomness properties of the 
underlying compression function. 

Brief Outline of Our Construction and Its Security. Our construction 
can be regarded as a derivative of NMAC. Recall that NMAC is based on a 
nested structure consisting of an inner part of hashing and an outer part of en- 
cryption. In our construction we boost up the performance of the inner hashing 
by introducing a novel method of iteration, where each invocation to the un- 
derlying compression function h : {0, l} c+b — > {0, 1} C processes more input bits. 
It takes c + b bits of a message, rather than just b bits as in the conventional 
Merkle-Damgard iteration. 

The inner hashing should satisfy a certain form of collision resistance, in order 
for the nested MAC to be secure. NMAC fulfills this requirement by assuming 
that the underlying compression function is a PRF m On the other hand, 
in our construction it turns out that we need to impose an extra condition on 
the underlying compression function in order to ensure the desired property of 
the inner hashing. The additional condition is a type of pseudo-randomness in 
a mild form of related-key setting; in fact, our proofs of security can be viewed 
as a related- key version of those in Pj . 

Backgrounds. A motive for this work originates from the recent degrada- 
tion of existing hash functions such as MD5 and SHA-1. These algorithms are 
first shown to be vulnerable to collision attacks as keyless hash functions, but 
the techniques are then extended to forgery and key-recovery attacks against 
NMAC/HMAC constructed of these hash functions |8I1 M| . These attacks tell us 
that it is high time to move toward new compression functions. In fact, NIST 
announces ending its support for SHA-1 and recommends migrating to SHA-2 
family by the year 2010 071181 . Since SHA-2 family are slower than SHA-1, the 
replacement would result in lowering performance and losing an advantage of 
hash-based MACs (as compared to MACs of other types, say block-cipher-based 
or universal-hash-based ones.) One way to overcome this problem is to use a 
more efficient mode of operation, absorbing the decrease in performance caused 
by the new compression function. 

Another reason to propose the new mode comes from a security principle of 
iterated functions that the size c of a chaining variable be relatively large. This 
requirement is particularly evident for MACs, due to the birthday attack PD! 
showing that half the size of c of the chaining variable corresponds to a security 
parameter. Having a large size c of a chaining variable is a good design principle 
also in the context of keyless hash functions, as illustrated by the “wide-pipe” 
argument d. Such design with large c, unfortunately, results in a performance 
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disadvantage of the traditional Merkle-Damgard iteration. On the other hand, 
in our approach the size c is irrelevant in terms of efficiency, and indeed large c is 
welcomed; such large c increases relative performance of our scheme as compared 
to the conventional Merkle-Damgard iteration. 

Organization of This Paper. In the following section we review some of 
the previous results concerning modes of operation of compression functions 
and identify the position of this work among them. Section El introduces design 
principles of our approach and a two-key prototype of our MAC construction. 
In Sect. E| and El wc define security notions utilized in this paper and discuss 
some aspects of them. Section El is devoted to security proofs of the two-key 
construction. In Sect. El and El we show techniques of constructing a single-key 
version and those of using a shorter key, respectively. Section 0 summarizes this 
paper. 

2 Related Work 

Merkle-Damgard. The Merkle-Damgard iteration gives a way to extend the 
domain of a compression function, having an attractive property that collision 
resistance of the compression function extends to the entire hash function (in 
either a keyless or keyed context) |1 till ()j . Owing to standardization and lack of 
regulation on export control, hash functions such as MD5 and SHA-1 are widely 
available in software libraries today. The widespread use of these keyless hash 
functions implemented with the Merkle-Damgard iteration also influences design 
principles for randomized hash functions and hash-based MACs/PRFs. 

Randomized Hash Functions. The question of domain extension of target- 
collision-resistant (TCR) functions is intensively studied j?I2 1 j . where several 
modes of operation are suggested, which extend a TCR compression function to 
TCR hash functions. The common problem of these schemes is that the key size 
grows as a message length does. This obstacle is resolved in where proposed 
is a mode of operation that runs as efficiently as the Merkle-Damgard iteration 
and that requires only a constant-size key. The trick is that its security is based 
on the assumption that the compression function satisfies new (but reasonable) 
properties, which are different from the notion of TCR. 

MACs and PRFs. The NI and CS constructs [1 II 5] provide domain extension 
of MACs. The problem is that these modes are slower than the Merkle-Damgard 
iteration. This drawback is absent from HMAC, which achieves the same effi- 
ciency as the Merkle-Damgard iteration. This is a natural outcome since HMAC 
gives domain extension of PRFs, not MACsQ 

In this paper we push ahead with this idea in order to obtain a PRF via a 
mode of operation that is even more efficient than HMAC. The trick is that 

1 Recall that a PRF is a secure MAC. There is another construct based on a PRF, 
called XOR-MAC 0. XOR-MAC is capable of parallel processing, yet without it 
XOR-MAC is in general slower than the Merkle-Damgard iteration. 


Boosting Merkle-Damgard Hashing for Message Authentication 219 


Table 1. Comparison of modes of operation for MAC/PRF 


Performance | Goal | Assumptions^ | Reference 


NI / CS 

< Merkle-Damgard 

MAC 

MAC 

nna 

NMAC / HMAC 

= Merkle-Damgard 

MAC 

pp-MAC, 2PRF 

IMI2I 

PRF 

PRF 

Proposed 

construction 

> Merkle-Damgard 

MAC 

pp-MAC, A-2PRF 


PRF 

PRF, A-2PRF 


our security result is based on the assumption that the underlying compression 
function satisfies, in addition to the usual PRF, a new (but reasonable) PRF 
property (which we call A-2PRF). 

Our construction is dedicated to MAC/PRF use. In return, our approach ac- 
complishes higher performance than the Merkle-Damgard iteration, which seems 
to be hard to realize in the context of keyless or randomized hash functions — 
we may consider the circumstances as evidence that our mode of operation fully 
takes advantage of the presence of a “secret” key in the MAC/PRF situation. 
See Tabled for comparison of these MAC/PRF modes. 

Multi-property Preservation. EMD [5! and ESh jHj are modes of operation 
that preserve multiple properties (e.g., collision resistance, pseudo-randomness, 
etc..) These are integrative approaches, taking the converse point of view to the 
problem of domain extension; our goal is to construct a mode of operation that is 
specific to MAC/PRF property. While EMD or ESh offers a single program that 
can be used for multiple purposes (and hence a small source code, less confusion 
and a safety net), it may not perform the best with respect to a specific property 
(e.g., pseudo-randomness.) It should be noted that the code size of our mode of 
operation is much smaller than that of the compression function: The description 
of our construction requires only a loop, an XOR and a concatenation. 

ENMAC. ENMAC |ig is an improvement over NMAC/HMAC, which is effi- 
cient particularly with short messages. This technique is also orthogonal to our 
approach, but it is so in a compatible way. That is, both ENMAC and our MAC 
in principle conform to the nested construction of NMAC (Recall that NMAC 
consists of outer encryption and inner hashing.) While ENMAC is an improve- 
ment on the outer function of NMAC, our construction is an improvement on the 
inner function. Hence ENMAC and our approach can coexist, but throughout 
the paper we base our construction upon the conventional NMAC for the sake 
of simplicity!! 


2 “pp-MAC” stands for privacy-preserving MAC, and “2PRF” for PRF against just 
two oracle queries. 

3 Intuitively, ENMAC improves performance mainly for short messages while our con- 
struction does so mainly for long messages. To a greater or lesser degree, each scheme 
alone improves performance essentially for all messages. 
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3 Design Principles 

Merkle-Damgard. Figure Gl depicts the traditional Merkle-Damgard iteration 
using a compression function h : {0, 1} C+6 — ► {0, 1} C . In this classical hashing, a 
message M is divided into 6-bit blocks as M = toi[|to 2 || • • • , and it is processed 
via the iteration Xi = f h(xi-i\\nii). Note that each invocation to h processes 
6-bits of M in this conservative mode of operation. 



Boosting. We start by trying to “maximize” the efficiency of each invocation 
to the compression function h. Note that h has (c + 6)-bit input; we devise 
a mode of iteration we call “hyper-Merkle-Damgard,” in which each invoca- 
tion to h disposes of c + 6 bits of a message M. We do this by XOR-ing the 
chaining variable and the next c bits of M on each input. This is illustrated 
in Fig. H In the hyper-Merkle-Damgard iteration, a message M is divided as 
M = toi||to 2 || • • ■ so that \m\\ = \m^\ = ■ ■ ■ = c and |m 2 | = \rrii\ = • ■ ■ = 6. We 
refer to the (c + 6)-bit segment as a “chunk.” The iteration works as 

Xi = h((xi-i®m 2 i-i)\\m 2 i) . Thus, the hyper-Merkle-Damgard iteration is c/6 
as fast again as the usual Merkle-Damgard. 



Fig. 2. Hyper-Merkle-Damgard iteration 


Keying. We adopt the popular approach of keying a compression function h 
via its chaining variable. Namely, we obtain hx : (0, l} b — ► {0, 1} C by defining 
= f h(K || •) where K <3- {0, 1} C . Also, let {0, 1}( C + 6 )* denote the set of bit 
strings whose lengths are multiples of c + 6 bits and define Hk '■ (0, 1 }( C + 6 )* _> 
{0,1} C as xi <— hif® mi (m 2 ), *— h a;i _ 1 ® TO2i _ 1 (m 2 j), Hk{M) = f x n , for an 
n-chunk message M = mi|| • • • ||m 2 n - 
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Nesting. The keyed function Hk constructed above as it is cannot be used 
as a secure MAC/PRF. In order to turn it into secure construction, we em- 
ploy the “nested approach” of the NI and NMAC construction. Namely, define 
BNMACjf,*/ : {0,l}( c+b )* -*• {0,1}° via BNMACx.x'(-) d = h K '(H K (-)\\l b - c )B 
See Fig. 01 for a pictorial definition of our BNMAC construction. As already 
pointed out in |2j , the conventional NMAC construction can be viewed as a com- 
putational version of the Carter- Wegman paradigm. Similarly, our result can be 
viewed as a related-key version of the result for the conventional NMAC. Since 
our assumptions concerning the function h include a related-key, non-standard 
one, we try to base the assumption upon as weak a condition as possible. We 
successfully do this; the condition only allows an adversary to make just two 
(related-key) oracle queries in a non-adaptive way. 



Fig. 3. Proposed MAC construction, double-key version (BNMAC) 


Padding. The above BNMACiqif'(-) accepts only messages whose lengths are 
multiples of c + b bits. In order for the scheme to process a message of arbitrary 
length, the message M needs to be somehow padded. It turns out that any (one- 
to-one) padding {0, 1}* — > {0, 1}( C + 4 * 6 )* works with our BNMAC construction, so 
hereafter we assume that a message always has a length multiple of c + b bits 
(As an example of padding, just append 10 • • • 0). 

4 Definitions 

Notation. The concatenation x\\y of strings x and y is sometimes written simply 
xy. We say that a string a: is a prefix of another string y and write x C y if there 
exists a string e such that xe = y. We write x X to denote the operation of 
choosing an element uniformly at random from a set X and assigning its value 
to a variable x. An adversary A is a probabilistic machine that may have access 
to an oracle O. The notation A° => x indicates the event that, when run with 
the oracle O, the adversary A outputs x. An oracle O is often defined by a game 
Q. In such a case we write AP in place of A° . We also write A <= x to denote 
the operation of inputting the value x into A. 

4 Here we assume that b > c. Although we could get around this requirement by 

extending the outer function via Merkle-Damgard iteration m, yet for simplicity 

we assume this condition throughout the paper. 
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Notion of PRF. Let {fx ■ M — * X} be a family of functions with K G 
{0, l} k . A prf-adversary A tries to distinguish between two oracles, the “real” 
oracle being fx(-), K {0, l} k and the “random” oracle being /(•), / {/ : 

M. — > X} (Fixing K fixes the real oracle, and fixing / fixes the random oracle.) 
Succinctly, define the advantage function of A as 

Adv prf (A) d = Pr [A/ => ij - Pr[A $ =► l] , 
where by / we denote the real oracle and by $ the random oracle. The first 
probability is defined over the coins of A and K <— {0, l} fc , and the second 
probability over the coins of A and / «— {f : M — > X}. 

New Notion of A-2PRF. Let {fx : M — > X} be a family of functions with 
K G {0, l} fc . A A-2prf adversary A tries to distinguish between two games, 
as defined in Table |21 Namely, at the beginning of each game the adversary 
A queries once ( m,A,m ') with m,m' G M and A G {0,l} fc . Then the oracle 
answers ( x,x ') to the adversary A, whose values are determined differently in 
each game as described. Finally A outputs 1 or 0. Succinctly define 

Advf 2prf (A) Pr [At => Ij - Pr [A $ =* l] , 
where again by / we denote the real oracle and by $ the random oracle. 

Table 2. Real and random games for A-2PRF 


Real 

| Random 

A => (m, A, m') 

A^{m,A,m') 

K 4- {0, l} fc 

x, x' -3- x 

x «— h^c(m); x <— hjr®^(m ) 

If A = 0 and m = m' then x' <— x Endlf 

A <= [x,x') 

A <= ( x,x' ) 


Resource Parameters. An adversary A’s resources are quantified with re- 
spect to its time complexity f, the number q of oracle queries and the length 
l (in chunks, if applicable) of each query. We adopt the convention that the 
time complexity t includes the total execution time of an overlying game (the 
maximum of each game) plus the code size of A. Define 

Adv^ oal (t, q,l) = f max Adv® oal (A), 

where max is taken over adversaries A, each having time complexity at most t 
and making at most q oracle queries, each query being at most l chunks. Often 
one or two of t, q, £ are inappropriate to be quantified, in which case they are 
omitted from the notation. Here, “goal” indicates the property in question, e.g., 
“prf.” We write Tf(£) to denote the time complexity that takes to compute a 
function / on a input whose length is £ chunks (and again, £ may be omitted). 
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5 Discussion on /A-2PRF Property 

Since we introduce the new notion Z\-2PRF on which our proofs of security are 
based, in this section we take a closer look at this requirement on the underlying 
compression function h. Intuitively, we can view the A- 2 PRF condition as a 
form of pseudo-randomness under a related-key attack. Yet, it is so in one of 
the weakest forms possible; namely, in A-2PRF, an adversary is limited to ask 
only two queries, and these queries must be performed non-adaptively. In other 
words, he must submit his entire queries (two messages to, m! and a relation A) 
together at the beginning of the game. 

So the notion of /A-2PRF itself is not a demanding requirement, though it 
cannot be deduced from the standard PRF (against q queries) assumption. We 
remark that the condition that h be a A-2PR.F and the condition that h be a 
PRF (against q queries) are independent; neither one implies the other. 

To get the feel of handling the notion of A-2PRF, we give an example of 
MD5. Let md5 : {0, l} 128 + 512 — > {0, l} 128 be the compression function of MD5. 
It is known EH that md5 is vulnerable to so called a “pseudo-collision” attack. 
That is, for A = f 8000 0000 8000 0000 8000 0000 8000 0000 the condition 
md5if(?7i) = rnd5iC0/i(TO) ( K {0, l} 128 , to <^- {0, l} 512 ) holds with a proba- 
bility of about 1/2 46 1/2 128 . Using this technique, an adversary A can attack 

md5 in the Z\-2PRF sense: A queries ( m,A,m ) (to <— {0, l} 512 ) and receives 
(a;, a;'); if x = x', then A outputs 1; otherwise, A outputs 0. Such an A has ad- 
vantage Adv^ d g Prf (A) « 1/2 46 — 1/2 128 . Thus, md5 does not satisfy the Z\-2PRF 
property. 

This characteristic of md5 is rather critical in its architecture. We expect that 
this sort of attack be precluded by structural designs of forthcoming compression 
functions, and certainly we would hope for designs without such a flaw in more 
“matured” compression functions such as sha256. 

At the end of this discussion, we emphasize the point that breaking /A-2PRF 
is easier than finding pseudo-collisions. Our proofs of security require that h be 
a A-2PRF, and h just being resistant to pseudo-collisions would not suffice for 
our purpose according to the current reduction. 

6 Security Proofs (Double-Key Version) 

This section proves the following: 

Theorem 1. Let BN MAC be the two-key construction as defined in Sec. [3 If 
the underlying compression function h is a PRF and a A-2PRF, then BNMAC 
is a PRF. More concretely, we have 

Adv BNMAcM^) < Adv£ rf (t,g) + ■ ^2(£+ 1) ■ Advf‘ 2prf (t') + ^ , 


where t' = (4£ + 1) • T^. 
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BNMAC: PRF 

| Lemma 1 

//: cAU 4- h: PRF 

| Lemma 2 
H: pf-2PRF 

| Lemma 3 
h: A#A'-2PRF 

| Lemma 4 
h: A/V-2PRF 

| Lemma 5 
h: A-2PRF 


Fig. 4. A proof map 


The reduction in the above theorem is essentially tight, due to the birthday 
attack j2H|. For more discussion on the gap from the exactly tight bound, see [2- 
In order to prove this theorem, we need the following five lemmas. The five 
lemmas sequentially reduce the PRF condition on the BNMAC scheme to the 
PRF and A-2PRF conditions on the underlying compression function. Along the 
proofs, we need several intermediate security notions, which are defined when 
they first appear. See Fig. 0 for a guide map. 

For stating the first lemma, we need to define the notion of cAU (com- 
putational almost-universality.) An au-adversary A against a keyed function 
Hk : {0, 1}( C + 6 )* {o, 1} C (with K G {0, 1} C ) simply outputs a pair of messages 

(. M,M ') with M, M' G {0, l}( c + b )*; define 

Adv# (A) = f Pr [H k (M) = H K (M') A M ^ M' \ A =► (M, M'), K 4 - {0, 1} C ] . 

Here note that such an adversary is non-adaptive. It also means that we can 
disregard the time complexity of au-adversaries (and often it is set to 2 • Th{Z))- 

Lemma 1. Let H K '■ (0, 1}( C + 6 )* — > {0, 1} C and hx 1 ■ (0, l} b — > {0, 1} C be 
keyed functions with K,K' G {0,1} C . If Hk is cAU and fix' a PRF, then the 
composition hoH/K',K) defined by Iik> (Hk(M) ||l b_c ) is a PRF. More concretely 
written, the following holds: 

Adv hoij(*.9^) < AdVfc rf (t,f) + •Adv^(f , ,l), 


where t' = 2 • Th(£). 
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Table 3. Real and random games for 2PRF 


Real 

Random 

A (M, M') 

A => (M, M') 

KA{0,iy 

x,x'^-{0, 1} C 

x <— Hk(M)-, x' <^Hk(M') 

If M = M' then x' <— x Endlf 

A<= (x,x') 

A •<= (x, x') 

Table 4. Real and random games for A#A'- 2PRF 

Real 

| Random 


A =k (A. m, #, A' , m') 

A => (A, m, #, A' ,m') 

K , K' 4®- {0, 1} C 

x,x'^{o,iy 

If # = 1 then 

If # = 1 and 

x <— /iir©A(m); x' *— hK®A.'(m') 

(A, m) = ( A m') then 

Else (i.e., # = 2) 

x' 4— X 

x 4— hisr©A(m); x' 4— h K '®A'(m') 

Endlf 

Endlf; A ^ (x, x') 

A <*= ( x,x ') 


Proof. This lemma (along with its pp-MAC version) is proved in j2j . □ 

The next lemma relates cAU to pseudo-randomness property, utilizing the it- 
erative structure of the hyper-Merkle-Damgard. See Table 01 for the notion of 
2PRF. We say that a 2prf-adversary A is “prefix-free” (pf-2prf) if M (f M' and 
M f) M', where (M, M') is the query output by A. Note that in particular, 
prefix- freeness implies M, M' e (null) and M ^ M' . 

Lemma 2. Let h : {0, l} c+b — > {0, 1} C be a compression function and Hk ■ 
{0, 1}( C + 6 )* — > {0, 1} C the hyper-Merkle-Damgard iteration constructed of h, 
keyed via its initial chaining variable. If Hk is prefix-free 2PRF, then it is cA U. 
More concretely, 

Ad Vff(t,£) < Adv#' 2prf (t, I + 1) + 7^. 

Proof. This can be easily proven by using the well-known “extension 
trick” j2j . □ 

Now we reduce the condition that H be a prefix-free 2PRF to the condition that 
h be a AffA'-2VRF, whose definition can be found in Table 0J 

Lemma 3. If h is a AffA' -2PRF, then its hyper-Merkle-Damgard iteration H 
is a prefix-free PRF. More concretely, we have 

Adv p r f - 2prf (M) < t ■ Adv^ #/i '- 2prf (t'), 
where t' = t + 2 • T H (i). 
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Game Qi 

Adversary Bi 

A =$■ (M, M') 

A => (M, M') 


If mi • • • m2i = rn'i • • ■ m' 2 i then 


(x,x') <— 0(m 2 i+i,m2i+2, 1 , m'2i + i,m2i +2 ) 

x i x ' {0, 1} C 

Else (i.e., mi • • • m2; A m i • ■ • m^;) 


(x,x') *— 0(m 2 i + i,m2i+2,2,m 2i+1 ,m 2i+2 ) 


Endlf 

Define (y, y') as in Table E 

Define {y,y') as in Table El 

A^(y,y') 

A<=(y,y') 


Output whatever A outputs 


Fig. 5. Intermediate games Q-, and adversaries Bi 


Table 5. Definition of (y, y') in game Q, 


1 

1 

\n'>i+l 

n < i 

y^x 

y<-x 


y' x' 

y' <— H x /(m' 2 i+i • • • m' 2n >) 

n> i + 1 

y *— H x {m2i+i • • • m 2n ) 

If mi • • • m 2 i = rn'i • • • rn! 2 i then 


y' *- x' 

y H x (m,2i+i ■ ■ ■ m 2 n) 
y' <- Ex(mj j+ i ■ --ray 

Else (i.e., mi • • • m2; A m i • ■ • rn' 2 i) 
y <— H x (m 2 i + 1 • ■ • m 2 „) 
y' Hx' ('miti+i ■ ■ ■ m' 2 n i) 


Proof. Let A be a pf-2prf adversary attacking H, having time complexity at most 
t and querying messages each of at most l chunks. We would like to bound the 
advantage Adv^' 2prf (A). Let (M, M r ) denote the pair of messages that A out- 
puts, and write M = mi • • • m-i n ( n chunks) and M' = rri[ ■ ■ ■ m' 2n , (n' chunks). 
Note that n , n' < i. Consider the intermediate games Q r defined in Fig. El for 
i = 0, • • • , l. Note that running A So can be identified with running A H , treating 
the condition mi • • • m, 2 i = m! x ■ ■ ■ m' 2i to be true when i = 0. Also, running A? 1 
coincides with the random game for A. Hence 

Adv pf ' 2prf (A) = Pr [A h => 1] - Pr[A $ => l] 

= Po~Pe 

= X>-p i+1 ), 

i = 0 


where Pi = f Pr [A Si => l] for i G {0, . . . , £}. 

Now for each i = 0, — 1 we define an adversary B., that uses A as a 

subroutine and attacks h in the A#A'-2PRF sense, as described in Fig. El It 
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Table 6. Definition of (y, y') in adversary B t 



|n'<i 


\n’>i+l 

n<i 

y <- x 

y' <- x' 


y <— x 

y’ <— H x i (m' 2i+3 ■ ■ ■ m' 2n i) 

n>i + 1 

V <— H x (m 2 i+3 

y’ <— x' 

• • ■ m 2n ) 

y <- H x (m 2i+ 3 • • • man) 
y’ <- H x f(m 2i+3 ---m' 2n ,) 


Table 7. Real and random games for AA'-2PRF 


Real ( 

Random 

A => (A,m,A',m') 

A^ (A, m, A', m') 

K 4- {0, 1} C 

x,x' 4 {0, 1}° 

x <— 

If (A,m) = then 

<— h K ®A' (m') 

x' <— x Endlf 

A^(x,x') 

A^{x,x') 


can be directly verified that Pr [B- 1, => l] = Pr [A Si => l] = Pi and Pr [Bf => l] 
= Pr => l] = P i+1 . Hence 

Adv£ 2prf (A) = ~ p m) 

»= o 

= £( p t[S?^l]- p t[S»^l]) 

*-0 

= EAdv^^ rf (B i ) 

i=0 

<X> 

= *-Ad 

Next we reduce the condition that h be a z4#ZV-2PR,F to the condition that 
h be a Z\zV-2PRF, whose definition can be found in Table 0 The notion of 
Z\Z\'-2PRF is simpler than that of Zl#Z\ / -2PRF, and it is also closer to that of 
Z1-2PRF. 

Lemma 4. If a compression function h is A A' -2PRF, then it is A#A' -2PRF. 
More concretely, we have 

Ad vf^'- 2prf (t) < 2 ■ Adv^'- 2prf (t'), 


where t' = t + Th. 
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Adversary C 

Adversary C' 

B => (A, to , #, A', m') 

B => (A,m, 

If # = 1 then 

K 4 - {0, 1} C ; x <— hK®A.{m) 

(x,x')^0(A,m,A',m') 

If # = 1 then 

Else (i.e., # = 2) 

x' <— hK®A'{m') 

{x,x)<-0(A,m,A,m) 

Else (i.e., # = 2) 

x‘ 4 - {0, 1 Y Endlf 

(x f , x') <- 0(A', to', A', to') Endlf 

B {x,x') 

B<=(x,x') 

Output whatever B outputs 

Output whatever B outputs 


Fig. 6. Adversaries C, C' 


Proof. Let B be a AffA 1 - 2prf adversary against h having time complexity at 
most t. We create A A’- 2prf adversaries C and C 1 , each using B as its subroutine, 
as described in Fig. El It can be directly verified that Pr \C h => l] = Pr [C"® =>■ l] , 
Pr[(7 s =► t] «= Pr [B $ => l] and Pr [C ,h =*jj = Pr [B h =#•- 1], Therefore 

Ad v£* A '- 2pii (B) = Pr [B h => 1 ] - Pr[B $ =► l] 

= Pr [C ,h =► l] - Pr[C" $ => l] + Pr [C h => lj -Pr[(7 $ =► l] 
= Adv^'- 2prf (C") + Adv^'' 2prf (C) 

< 2 • Adv^'- 2prf (tO. □ 

Finally, we are ready to reach the condition of A2PRF. The last lemma gives 
us straight-forward reduction of 2AA-2PRF to A2PRF: 

Lemma 5. If a compression function h is A-2PRF, then it is AA'-2PRF. More 
concretely, we have 

Adv^'- 2prf (t) < Advf 2prf (f). 

Proof. Let C be a AA-2prf adversary against h having time complexity at most 
t. We construct a A2prf adversary D against h that uses C as its subroutine, 
as follows. 

D runs C and obtains the query (A to, A, to'). Then D asks its oracle a query 
and receives ( x,x ') <— 0(m, A® A, m'). D forwards ( x,x ') to C and outputs 
whatever C outputs. 

Here observe that Pr [D h =* l] = Pr [C h =» l] and that Pr[D $ =>• Jj « 
Pr [C® =>■ l] . Hence we have 

Adv^‘ 2prf {£?) = Advf 2prf (£>) 

< Advf' 2prf (t), 


neglecting the increase in D's time complexity. 
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The above five lemmas prove Theorem 0 Recall that, without loss of generality 
we can estimate the time complexity of a cAU adversary to be 2-Tg(£). So for the 
time complexity t' in Theorem0we get t' = 2-T H (£)+2-T H (i)+T h = (4£+l)-7) l . 

7 Single-Key Versions 

Our BNMAC construction so far requires two independent keys K, K' £ {0, 1} C , 
which may be an undesirable feature in some cases in practice. However, this 
problem is easily resolved through the pseudo-randomness of h. We show two 
solutions. 

The first method is a trivial way of deriving two keys. Let K* £ {0, 1} C be a 
master key. From K* derive two keys as K <— hx* (0 6 ) and K' <— hx* (l b ) . We 
then use these two keys in place of K, K' £ {0, 1} C in the BNMAC construction. 
See Fig. 0 for a pictorial description. The only difference between the original 
double-key version and this single-key variant lies in the way how the two keys 
K and K' are produced (in the former K. K' <— {0, 1} C , whereas in the latter 
these keys are derived via h from K* <— {0, 1} C .) Hence distinguishing between 
the two versions amounts to breaking the pseudo-randomness of h (with two 
constant queries 0 b and l 6 to the oracle.) It should be noted that if we replace 
the PRF assumption with that of pp-MAC in Lemma 0 then the pp-MAC 
version of Theorem 0 still holds for this single- key variant. This is because the 
2PRF requirement on h for key derivation is absorbed into /A-2PRF of h, not 
PRF (against q queries). 

The second method takes the idea from 1221 - See Fig. 0 for the description 
of this variant. While this version saves one extra block of invocation to the 
compression function, there are two points to be attended to. One is that now 



Fig. 7. Single-key version 1 


K* 0 & m 1 m 2 m 2 „-im 2 „ K* l b ~ 



Fig. 8. Single-key version 2 
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we need the condition b > c + 1 (rather than b > c.) The other is that the 
pp-MAC version appears to be infeasible in this case. 

8 Using a Shorter Key 

Recall that the size c of a chaining variable may be larger than one’s desired 
security parameter, depending on a choice of compression functions. This means 
that in practice the desired size k of the master key K* may be smaller than c, 
disabling the above single-key construction. 

This difficulty can be settled in several ways. One is to use only the first k 
bits of c in the above single-key variant (and the remaining c — k bits may be 
padded with zeros.) Another is to fill out the c bits by multiple copies of a fc-bit 
key, as K*||K*|| • • • . In either example, note that we still do not lose our formal 
proofs of security with the first version of the single-key construction, assuming 
additionally that the newly keyed function is a 2PRF against corresponding two 
oracle queries. 

9 Summary 

This paper proposes a novel mode of operation of compression functions, called 
hyper-Merkle-Damgard, which can process a message faster than the conven- 
tional Merkle-Damgard iteration and can be used exclusively as a MAC/PRF. 
The proofs of security are based on the assumption that the underlying com- 
pression function satisfies some PRF properties. These PRF properties include 
a new notion which we call A- 2 PRF. We carefully take a look at this property 
and identify it as not a demanding condition. We first give proofs of security of a 
double- key version, called BNMAC, and then show that single-key versions can 
be easily derived, along with flexibility of the key size. 

Acknowledgments. The author would like to thank ASIACRYPT 2007 anony- 
mous reviewers for their valuable comments, insightful questions and useful sug- 
gestions. The feedback helps the author improve the quality of the paper in its 
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Abstract. In an effort to design a MAC scheme that is built using 
block cipher components and runs faster than the modes of operation for 
message authentication, Daemen and Rijmen have proposed a generic 
MAC construction ALRED and a concrete ALRED instance Pelican. 

The Pelican MAC uses four rounds of AES as a building block to com- 
pute the authentication tag in a CBC-like manner. It is about 2.5 times 
faster than a CBC-MAC with AES, but it is not proven secure. Mine- 
matsu and Tsunoo observed that one can build almost universal (AU2) 
hash functions using differentially uniform permutations (e.g., four AES 
rounds with independent keys), and hence, provably secure MAC schemes 
as well. They proposed two MAC schemes MT-MAC and PC-MAC. 
MT-MAC hashes the message using a Wegman-Carter binary tree. Its 
speedup for long messages approaches 2.5, but it is not very memory 
efficient. PC-MAC hashes the message in a CBC-like manner. It is more 
memory efficient. However, its speedup over the message authentication 
modes is about 1.4. 

We notice that using a non-linear permutation as a building block, 
one can construct almost XOR universal (AXU2) hash functions whose 
security is close to the maximum differential probability of the underly- 
ing non-linear permutation. Hence, using four AES rounds as a building 
block will lead to efficient Wegman-Carter MAC schemes that offer much 
better security than the modes of operation for message authentication. 

If the target security is that of the message authentication modes with 
AES, then one can use non-linear permutations defined on 64-bit blocks 
and achieve greater speedup and better key agility. For instance, the ide- 
ally achievable speedup when using the 64-bit components we suggest is 
3.3 to 5.0 as opposed to the 2.5 speedup when using four AES rounds. 

Keywords: Message authentication, Wegman-Carter construction, uni- 
versal hash functions, block ciphers, maximum differential probability. 

1 Introduction 

Message Authentication. Message authentication is one of the basic infor- 
mation security goals, and it addresses the issues of source corroboration and 
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improper or unauthorized modification of data. The message authentication 
model usually involves three participants: a sender, a receiver and an adver- 
sary. The sender and the receiver have agreed on a secret key. Prior to sending 
a message, the sender uses a signing algorithm that given the message and the 
secret key outputs an authentication tag (or MAC). The sender sends the tag 
along with the message to the receiver. On receipt, the receiver uses a verifica- 
tion algorithm that given the secret key, the message and the tag returns 1 if 
the MAC is valid, or returns 0 otherwise. The goal of the adversary is to trick 
the receiver into accepting a message that was not sent by the sender. 

Message authentication has been heavily addressed in the literature. We 
briefly overview some of the results. There are three common approaches to 
message authentication. One approach involves using cryptographic hash func- 
tions. The first such schemes were proposed by Tsudik and Kaliski and 
Robshaw m, and later analyzed by Preneel and Van Oorschot |44l45j . A popu- 
lar hash function based MAC is the HMAC construction of Bellare, Canetti and 
Krawczyk m- 

Another approach to message authentication involves secure block ciphers 
modeled as pseudorandom permutations. The CBC MAC ]2QI25j is probably 
the most studied MAC construction based on block ciphers. Bellare, Kilian and 
Rogaway proved its security for fixed-length messages |2j. Petrank and Rackoff 
pH] (another proof was provided by Vaudenay jSDl) showed that EMAC |0|, 
a CBC MAC variant using additional encryption, is secure when the message 
length is a multiple of the block size. Black and Rogaway m proposed a solution 
for arbitrary message lengths that uses three keys and only one key scheduling 
of the underlying block cipher. Jaulmes, Joux and Valette proposed RMAC cm 
which is an extension of EMAC using two keys and a randomness. Iwata and 
Kurosawa provided solutions that use only two (321 and one key [22j . There are 
also block cipher based MAC constructions that do not follow the CBC paradigm 
(e.g., the PMAC construction of Black and Rogaway El)- 

The third approach is the universal hash function approach. Wegman and 
Carter were the first to propose the notion of universal hash functions [03 and 
their use in message authentication EU The construction proposed by Wegman 
and Carter provides unconditional security. A computationally secure scheme 
can be obtained if the random keys are replaced by pseudorandom keys. This 
approach was first studied by Brassard E3- The topics related to universal hash 
functions and unconditional message authentication have been studied a lot in 
the past years. Some of the results include the following. Unconditional mes- 
sage authentication was first considered by Gilbert, Williams and Sloane m- 
Simmons m developed the theory of unconditional authentication and derived 
some lower bounds on the deception probability. The use of universal hashing to 
construct unconditionally secure authentication codes has also been studied by 
Stinson (3Hj and by Bierbrauer et al . [j]j ■ The notion of almost XOR universal hash 
functions is due to Krawczyk m ■ a bucket hashing technique for constructing 
an AXU 2 families of universal hash functions and their use to construct compu- 
tationally secure MACs were proposed by Rogaway @0| ■ Afanassiev, Gehrmann 
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and Smeets P proposed an efficient procedure for polynomial evaluation that 
can be used for fast message authentication. MMH, proposed by Halevi and 
Krawczyk and SquareHash, proposed by Etzel, Patel and Ramzan [El , are 
examples of fast universal hash functions. An efficient universal hash function 
family NH and a message authentication code UMAC based on NH were also 
proposed by Black et al. M ■ Another fast message authentication scheme and 
stronger bounds for Wegman-Carter-Shoup authenticators were recently pro- 
vided by Bernstein m 

Differential Probability Bounds. Since the publication of the differential 
cryptanalysis attacks on DES (Biham and Shamir [El ) ■ differential cryptanaly- 
sis has become one of the most studied general attacks on block ciphers, and the 
resistance to differential cryptanalysis has become one of the basic block cipher 
design criteria. The round keys used by block ciphers are derived from a single 
key using a key scheduling algorithm. However, in order to augment the belief 
that certain block cipher structures are secure against differential cryptanalysis, 
some researchers have provided security proofs assuming random and indepen- 
dent round keys. The provable security against differential cryptanalysis of some 
Feistel structures has been studied by Matsui E3 Hong et ai. m proved an 
upper bound on the maximum differential probability for 2 rounds of a substi- 
tution permutation network with highly diffusive linear transformation. Kang 
et al. m provided a bound for any value of the branch number of the linear 
transformation. Keliher, Meijer and Tavares [31 13 2 j proposed a new method for 
finding the upper bound on the maximum average linear hull probability for sub- 
stitution permutation networks (SPN) and applied their method to AES. Park 
et al. proved that the maximum differential probability of four rounds of AES is 
upper bounded by 1.06 x 2 -96 ^1]. and later proved a better bound 1.144 x 2 _m 
in g2|. A slightly better bound (2 -113 ) was provided by Keliher and Sui |33| . 

Closely Related Work. Daemen and Rijmen czi have recently proposed a new 
heuristic MAC construction ALRED, and a concrete MAC scheme Pelican [El. 
The Pelican MAC uses four rounds of AES as a building block to compute the 
authentication tag in a CBC-like manner, and it is about 2.5 times faster than a 
CBC-MAC with AES. However, it is not proven secure. Minematsu and Tsunoo 
[TO] observe that one can obtain provably secure almost universal hash functions 
(AU 2 ) by using differentially uniform permutations such as four rounds of AES 
with independent keys in a Wegman-Carter binary tree. They also propose a 
message authentication scheme MT-MAC that makes use of the proposed AU 2 
hash function. However, they note that such construction is not memory efficient, 
and suggest a CBC-like AU 2 hash PCH (Periodic CBC Hash) and a proven secure 
MAC scheme PC-MAC based on PCH. The speedup of PC-MAC over the modes 
with AES is 1.4. 

Our Contribution. We propose a CBC-like AXU 2 hash UHC (Universal Hash 
Chaining) and a variant of a Wegman-Carter binary tree AXU 2 hash (the MACH 
hash). Both constructions use a non-linear invertible transformation as a building 
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block. Their proven security is somewhat smaller than the maximum differential 
probability of the underlying non-linear permutation, and it does not change 
with the message length as in the polynomial constructions or PCH. Hence, 
if one uses four rounds of AES with independent keys as a building block one 
can obtain a message authentication scheme that is more time efficient and offers 
significantly greater security compared to the message authentication modes with 
AES. If the target security is that of the message authentication modes with AES, 
then one can use non-linear permutations defined on 64-bit strings (blocks). This 
allows for greater speedup and better key agility. For instance, the non-linear 
transformations that we suggest use 128- and 192-bit keys as opposed to the 
512-bit key required by four rounds of AES. If these components are used in a 
Wegman-Carter single-binary-tree hash, then the achievable speedup for lengthy 
messages approaches 4.5 on 8-bit architectures, 3.3 on 32-bit architectures and 
5 on 64-bit architectures with relatively large LI cache as opposed to the 2.5 
speedup achievable when the non-linear permutation is four rounds of AES. 
In order to improve the memory efficiency, MACH, the message authentication 
scheme we propose, uses the modified Wegman-Carter tree AXU 2 hash function 
(the MACH hash) instead of a single tree. The estimated speedup of the resulting 
scheme is somewhat smaller, but still significant (see Section EOl for more details). 

2 Basic Building Blocks 

In this section, we propose some basic AXU 2 and Af /2 hash functions. We use 
these functions as building blocks to construct efficient message authentication 
schemes. 

2.1 AXU-i Hash Functions Based on Block Cipher Design 
Techniques 

Given a (keyed) non-linear function F, one can construct an AXU 2 hash function 
as follows. To hash a message x, two keys K and K r are chosen randomly. The 
hash of a; is F(K, x © K r ). If F is not a keyed transformation, then the hash of 
x is F(x © K r ). The role of the key K r is to randomize the input of F since the 
maximum differential probability is defined for a randomly selected input and a 
constant input difference. The AXU 2 definition on the other hand requires both 
the input and the input difference to be constant. A more formal analysis is 
given below. 

Lemma 1. Let F : (0, l} fc X (0, l} m — » {0, l} n be a mapping that maps a 
pair of a k-bit key and a message (block) of length m into an n-bit string. The 
family of hash functions H = {hx,K r ■ {0,l} m — ► {0,1}"|.A € {0, l} fe , G 
{0, l} m , fiK,K r (x) = F(K,x®K r )} is e-AXU 2 , where e is equal to the maximum 
(expected) differential probability of F 

np _ mnv #{(*, x) G {0, l} fc x {0, 1 } m \F(K, x®Ax)® F(K, x) = Ay} 


v^0,Ay 
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The non-linear function defined by four rounds of AES is a good candidate 
for constructing AXU hash functions. To hash a 128-bit block x, one selects 
four uniformly random keys and “encrypts” x using the four keys as round keys. 
Here, we assume that the key addition is at the beginning of the rounds, not 
at the end of the rounds. We also assume that the fourth round is a final AES 
round. It was shown in m that the maximum differential probability of four 
rounds of AES is at most about 2“ 113 when the round keys are independent. 
Hence, the hash function family Haes consisting of the transformations defined 
by four rounds of AES for all possible values of the round keys is e-AXU 2 , where 
e w 2 -113 . We propose two additional constructions. 

The first AXU 2 family of hash functions that we suggest is defined by the 
Feistel structure depicted in Fig. [D The 64-bit input is transformed into a 64-bit 
hash using three Feistel rounds. Each round uses a new 64-bit key. The round 
function is depicted in Fig. Efb). It is constructed using AES components. That 
is, the S-box and the mixing transformation used in the round function are same 
as those used in AES. Each key defines a hash function that maps a 64-bit 
string (message) into a 64-bit hash, and we denote by Hfes the family of hash 
functions defined by the 2 192 possible keys. 



Fig. 1. A Feistel AXU construction: (a) the 64-bit message is hashed using three Feistel 
rounds with independent keys, (b) The round function is an SPN structure. The S-box 
and the mixing transformation are those used in AES. 


The security of Hfes is provided by the following lemma. 

Lemma 2. The Hfes family of hash functions is e-AAf/ 2 , where e = 1.52 x 
2 -56 

The second AXU 2 family of hash functions that we suggest is defined by the 
keyed nonlinear transformation shown in Fig. El It is a two-round SPN structure 
that transforms a 64-bit input into a 64-bit output. The S-box that is used in the 
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construction is same as the one used in AES. The mixing transformation is given 
by the circulating-like MDS matrix proposed in (p. 167). The multiplication 
and addition are over GF(256) modulo the irreducible polynomial x 8 + x 4 + x 3 + 
x 2 + 1 over GF(2). The coefficients are given by the following polynomials over 
GF(2): a = x + 1, b = x 3 + 1, c = x 3 + x 2 , d = x, e = x 2 and / = x 4 . Each key 
defines a hash function that maps a 64-bit message into a 64-bit hash, and we 
denote by TLfca the family of 2 128 hash functions whose members are determined 
by the possible key values. 



Fig. 2. An SPN AXU construction: (a) The global structure, (b) The 8 x 8 matrix used 
in the linear mixing layer. The multiplication and addition are over GF(256) modulo 
a ; 8 -I- x 4 + x 3 + x 2 + 1 over GF(2). The coefficients are a = x + 1, b = x 3 + 1, c = x 3 + a: 2 , 
d = x, e = x 2 and / = x 4 . 


The following lemma establishes the security of Hf 64 - 

Lemma 3. The TIf&a family of hash functions is e-A XU 2 , where e = 1.25 X 
2 “ 54 . 


2.2 The AU 2 Hash Functions 

Given a keyed non-linear function that can be represented as a composition of 
two non-linear transformations whose keyifl are independent (see Fig. E3';i )), one 
can construct an AU hash function (see Fig. 01(b)) as follows. 

Lemma 4 (Twisting Lemma). Let F(K,x ) be defined as F(K,x) = 
F 2 (K 2 ,F 1 (K 1 ,x)®K s ), where K = K X \K S \K 2 , F 1 : {0, l} fcl x {0, 1}' -4 {0,1}", 
and F 2 : {{0, l } fc2 x {0, 1}" — > {0, 1}”} is a bisection for any key value K 2 . 

1 We consider a more general case. However, F\ and F 2 does not have to be keyed 
transformations (i.e., the lengths of the keys K\ and K 2 can be zero as well). 
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Then, the family of hash functions TL = {hKi,K r i,K 2 ,K r2 ■ {0,1}* X {0,1}” — > 
{0 ,l} n \h Kl ,K rl ,K 2 ,K r2 (xi, x 2 ) = Fi[K x ,xi ffi Kri) ’© F^ 1 (K 2 ,x 2 © K r2 )} is an 
e-AU 2 , where K x G {0,1 } kl ;K 2 e {0, l} fe2 ; x x , K rl G {0, 1}*; x 2 , K r2 e {0,1}”, 
and e = DPi?. 

The structure of the function F depicted in Fig. Of a) can be found in almost 
any block cipher and allows for a variety of AU 2 hash function constructions 
by “twisting” block ciphers. One such example is the construction proposed in 
fTU| . which is depicted in Fig. 13c). The function F in this case is a composition 
of an identity map and the inverse of a differentially uniform permutation. The 
twisting lemma is slightly abused since no key is added to the first block. Such 
key addition will be canceled when we consider differences and increases the time 
complexity since one has to generate a random key K rl . 



(a) (b) (c) 

Fig. 3. AU2 construction by “twisting” block ciphers: (a) the original non-linear trans- 
formation F, (b) the non-linear transformation F' obtained by “twisting” F, (c) AU2 
construction proposed in (301 


The general construction of Lemma0offers a somewhat greater level of paral- 
lelism than the one of Fig. Of c) (one can evaluate F x and F 2 in parallel). However, 
the overall impact on the schemes proposed in this paper is not significant, and 
we use a variant of Fig. Efc) which is derived by extending its domain to include 
messages of length 0 and 1 blocks: 

{ A if xi = x 2 = X 

xi if X! ± X,x 2 = A 

xi ® F(K, x 2 © K r ) if x\ ± A, x 2 ± A 

where A is the empty string, £ 1 , 0:2 G {0, 1}”(J{A}, K r G {0,1}” and F is a 
(keyed) non-linear permutation on {0, 1}”. 

Let Qf be the family of the hash functions defined as above. We have the 
following lemma. 

Lemma 5. The family of hash functions Qf is e-AU 2 , where e = DP^. 
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The A.U 2 families that we use are obtained when the AXU 2 hash function 
F(K, K r © x) is realized using the transformations discussed in Section El We 
denote by Qaes , Qfes and Gf &4 the families of hash functions when F(K, K r ®x) 
is realized using four AES rounds, the Feistel structure of Fig. 0 and the SPN 
structure of Fig. 0 respectively. According to the previous discussion, Qaes , 
Qfes and 0 F64 are e-AU 2 with e being 2“ 113 , 1.52 x 2“ 56 and 1.25 x 2“ 54 
correspondingly. 

3 AXU 2 Hash Functions Defined for Arbitrary-Length 
Messages 

The universal hash functions introduced in the previous section operate on mes- 
sage blocks. In this section, we consider some techniques for extending the do- 
mains to include arbitrary-length messages. The proposed constructions use a 
large number of keys. However, these keys are derived from a single 128-bit key 
in the message authentication scheme we propose in Section 0 

3.1 A CBC-Like Construction 

CBC is a popular approach to MAC design. The Pelican MAC of [TBj and the 
PCH (Periodic CBC Hash) of 0]j resemble CBC as well. Here, we present an- 
other CBC-like family of hash functions Huhc (Universal Hash Chaining). The 
advantage of UHC over the Pelican construction is that it is proven secure. Its 
advantage over PCH is that the security does not decrease with the message 
length. Assuming small differential probabilities, the provided upper bound on 
the collision probability of PCH is roughly l 2 / 2", where l is the message length 
and n is the block length. If the message length is about 2 40 , this results in about 
2 -50 proven security when using four rounds of AES as a building block. The 
proven security of UHC in this case will be about 2 -112 . 

'Huhc is depicted in Fig. 0 We assume that F is a permutation on the set 
of n-bit strings for a given key. To hash a message consisting of l segments of m 
blocks, we select randomly m— 2 randomization keys K $ , . . . , K r rn and m— 1 keys 
K 2 , K 3 , . . . , K rn for the non-linear map F. These keys are used for all segments of 
the message. In addition, two fresh randomization keys Kl\, K r i2 and a fresh key 
Ki^i for the non-linear map are selected anew for each segment of the message. 
The message is “digested” in a CBC-like manner using these keys as depicted in 
Fig. 0 The resulting family of hash functions is AXU 2 - 

Lemma 6. Huhc is e-AXC/ 2 , where e = 2DPi?. 

3.2 A Modified Wegman-Carter Binary Tree Construction 

MACH, the MAC scheme that we propose, uses the following variant of the 
Wegman-Carter binary tree hash. 
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*1,1 *1,2 *1,3 *1 ,m 



Fig. 4. A CBC-like AXU construction. Fresh keys are used only for the first two blocks 
of each segment. 


To hash a message M consisting of l block^, we first “append” A- “blocks” 0 
so that the number of blocks in the message is a multiple of 2 N . The resulting 
A-padded message is partitioned into segments consisting of 2 N blocks. Each 
segment is hashed using the same secret member of Gf in a binary hash tree 
of height N. Recall that that the members of Gf were defined as Qf(xi , £ 2 ) = 
x\ © F(K,K r © X 2 ) if X 2 is not A, gp{x i, A) = xi, and <7 f( A, A) = A, where F 
is a (keyed) non-linear permutation on n-bit strings. The output of each binary 
tree is hashed using F as in Lemma G] and the resulting n-bit blocks are xor- 
ed to give the final hash value. The keys used in the last step are generated 
independently for different segments of the message. We use to 

denote the family of hash functions described above. An example when N = 2 
is given in FigO 

The time complexity of the MACH hash is determined by the time to generate 
the required keys, and the time to hash the message. Assuming that the keys are 
already generated, the time to hash the message is one F evaluation per n-bit 
block of the message, and it is same as that of UHC. The same levels of the 
binary trees in the MACH hash use the same key. So, one has to generate and 
memorize N keys that will be used by the binary trees. In addition, one has to 
generate one potentially large key per segment for the last step of the hashing 
procedure. Since the length of the segments is 2 N blocks, the MACH hash is 
advantageous over the UHC hash where one has to generate fresh keys every N 
blocks. 

Using a single binary tree will lead to greater speedup for long messages. 
However, one will have to memorize a large number of keys to allow hashing 
of lengthy messages. In the MACH hash, the fresh keys can be “thrown away” 

2 We assume that the message length is a multiple of the block length. 

3 The sole purpose of the A padding is to simplify our description and analysis. In 

practice, the A padding will be omitted. 
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Fig. 5. An AXUi construction using a modification of the Wegman-Carter binary tree 

(N = 2) 


after their use. So, by carefully selecting the value of N, one can achieve close 
to a single-binary-tree speed while significantly improving the key agility and 
memory efficiency compared to the single-binary-tree construction. 

7~Lmach(N) is basically a composition of an AU 2 hash function (the binary 
trees in parallel) and an AXU 2 hash function (the xor of the AXU 2 hash func- 
tions). As it was case with the Huhc , the security of T^mach(^) does not 
decrease with the message length. 

Lemma 7. 7t^ [ACH (N) an e-A XU 2 family of hash functions, where e = 
(AT+1) xDP f . 

The message authentication schemes that we propose in this paper use 
the W-machIS), H™ a s ch (7) and H^f ACH (7) hash function families. Here, 
'HaFach(5) is the MACH hash functions where the binary trees are of height 
5, the AU hash function family used in the binary trees is Qaes of Section 12.21 
and the AXU hash function family used in the last step is the Haes hash func- 
tion family described in Section ETT1 Similarly, 'H^ ach (, 7) (resp., 'Hm’ ach ( 7)) 
is the MACH hash function family that uses binary trees of height 7, and whose 
non-linear function F is implemented using the Feistel (resp., SPN) structure of 
Fig. □(resp., Fig.EJ). 
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4 MACH: An Efficient Wegman-Carter MAC Scheme 
Based on Block Cipher Design Techniques 

In this section, we present MACH. MACH, where H stands for the use of hash 
functions, is a Wegman-Carter MAC scheme that is obtained by applying the 
technique presented in to W-magh- 

4.1 The Signing (Tagging) and Verifying Algorithms of MACH 

Signing. A pseudo-code of the MACH signing algorithm is given in Algorithm!!! 
It takes as input a secret key K, a 64-bit counter value Cntr < MAX_CNTR 
associated with that key and a message M of bit length \M\ < MAX.LEN. The 
secret key K and the counter value Cntr are used as an input to a pseudorandom 
generator that outputs two keys Kf , and Kt- The key Kh specifies which member 
H magh will be used to hash the messages, and the key Kt is used to encrypt 
the hash of the message. Given the key Kf ,, a hash h = tiK h [M 1 10*) of the 
10* padded message is computed using the W-mach family of hash functions. 
The authentication tag r is the pair consisting of the counter value Cntr and 
h T = h@ Kt- 


Algorithm 1. MACH.Sign( K, Cntr, M) 


Input: A (128-bit) secret key K, a 64-bit counter value Cntr and a message M. 
Output: An authentication tag r. 

Cntr + + 

len < — | M\ / / len is the bit length of the mess 
K h , K t <— Gen (Cntr,K) 

i *— (n— ((len + 1) mod n)) mod n 
h^h Kh {M\lV) 

hr *- h ® Kt 

return (Cntr, h T ) 

age M. 


The keys Kh and Kt can be generated using a pseudorandom generator 
(i.e., a stream cipher). The key generation in this case will be faster than 
using a block cipher, and the resulting scheme will be more competitive for 
small message lengths. However, there are some practical advantages of gen- 
erating the keys using a block cipher in a counter-like mode. So, we suggest 
the keys to be generated using AES as follows. The key K T is computed as 
K t = trun(AJ5£jc(l|G 63 |Cntr)), where Cntr is a 64-bit counter value, and trun(-) 
selects the first \h\ bits of AES k ( 1 10 63 1 Cntr) . The words of the key K h are com- 
puted as Kh[i] = AESk (0 64 |(i)), where (i) is a 64-bit representation of i. If the 
length of Kh is not a multiple of 128, then the last “word” iG [K_BLCKS] of Kh 
is derived by selecting the first |^[K_BLCKS]| bits of AESx(0 64 |(K_BLCKS}). 
Here, K JBLCKS is the number of blocks in Kh, and it is determined by the 
length of the key material we need to hash a message of length MAX_LEN. 
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Remark. To simplify our description and security analysis, we have assumed that 
the key Kh is generated at the beginning, and that it is long enough to hash 
messages of maximum length. Clearly, such implementation is not practical at 
all. In practice, to avoid expensive key setup and increase the memory efficiency 
of the scheme, the keys will be generated on the fly, and only a small portion 
of the keys (e.g., the keys used by the binary trees) will be memorized when 
computing the hash of the message. 

Verifying. Given a message M, an authentication tag r = ( Cntr , h T ) asso- 
ciated with the message and the secret key K, the verifier computes the keys 
Kh, Kt, and recomputes the authentication tag using these keys. If the recom- 
puted tag {Cntr, Kt ® hx h {M 1 10*)) is equal to the one that was sent, then the 
verifier accepts the message M as authentic. Otherwise, the verifier rejects the 
message M. 

4.2 Security of MACH 

The security of MACH is established by the following theorem. 

Theorem 1. The advantage of any forger of MACH that runs in at most t time 
and makes at most q v forgery attempts is upper bounded by 

Adv- U l^ a (i, q v ) < Adv^cxt + pa, Q e ) + 9,(1 - %^V Qe/2 (A + 1)DP F , 

where c\ and c-i are small implementation dependent constant, Q e = K_BLCKS + 
MAX_CNTR, N is the height of the binary trees used by the hash function, DP p 
is the maximum differential probability of the nonlinear permutation F used by 
the hash function, and Adv^g(cit + C 2 , Q e ) is the advantage of distinguishing 
AES from a random permutation when running in at most c\t + c-i time and 
querying an encryption oracle at Q e distinct message blocks. 

4.3 MACH Variants, Security and Performance Comparison 

We suggest three MACH variants MACH-AES, MACH-FES and MACH-F64. 
As their names suggest, the proposed MACH variants are obtained when the 
messages are hashed using Hj^ GH { 5), and 'Hm'ach( 7) respectively 

(see Section ITHfl for a description of these hash functions). In the following, we 
briefly discuss the security and performance of these schemes. 

Security. A comparison of the proposed variants in terms of their security 
and the speedup over the modes for message authentication that use AES as 
a building block is given in Table El The security expressions are derived us- 
ing Theorem Q] We assume that both K_BLCKS and MAX_CNTR are 2 64 . The 
number of encryption queries in this case will be Q e = 2 65 , and 6 is the ad- 
vantage of distinguishing AES from a random permutation given Q e pairs of 
plaintext /ciphertext blocks. 
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Table 1. Security and performance comparison of the MACH variants 


Scheme 

Speedup over message authentication modes 

Security 

8-bit c.a. 

32-bit c.a. 

64-bit c.a. 

1 KB 

oo 

1 KB 

oo 

1 KB 

oo 

MACH-AES 

1.25 

2.10 

1.19 

1.90 

1.19 

1.90 

6 + q v X 1.28 X 2 -iiu 

MACH-FES 

2.37 

3.76 

1.99 

2.88 

1.99 

2.88 

<5 + q v x 1.30 x 2 ~° * 

MACH-F64 

1.85 

2.10 

1.51 

1.86 

2.10 - 2.94 

2.81 - 4.64 

6 + q v X 1.07 X 2“ ou 


The tag length and the security of MACH-FES and MACH-F64 are compa- 
rable to those of the modes of operation for message authentication using AES 
as a building block. Note that the security of MACH-FES and MACH-F64 is 
determined by the number of forgery attempts. If the application allows the 
verifier to limit the number of forgery attempts, then one can achieve good se- 
curity for a large number of very long messages. For example, assume that the 
verifier keeps a track of the number of invalid message/tag pairs. If this num- 
ber exceeds 2 20 , then the verifier assumes it is under attack and rejects any 
subsequent message. Under these circumstances, we can use MACH-FES and 
MACH-F64 to authenticate 2 64 messages of length 2 64 blocks with « 2 -30 
forgery probability. However, using 2 64 signing queries and a single forgery at- 
tempt, one can easily break most of the existing modes of operation for message 
authentication. If the maximum allowed message length is relatively large, then 
the security of MACH-FES and MACH-F64 is comparable or better than that of 
the polynomial-based constructions too. For example, if one allows messages of 
length > 2 52 blocks, then the proven security of Polyl305-AES becomes smaller 
than that of MACH-FES and MACH-F64. 

Assuming that the advantage of distinguishing AES from a random permu- 
tation given 2 65 plaintext /ciphertext pairs is small, MACH- AES provides sig- 
nificantly better security than MACH-FES and MACH-F64. The tag length 
(including the counter) of MACH- AES is 192 bits, and it is larger than that of 
the modes of operations for message authentication. 

Performance. Performance evaluation of a given message authentication 
scheme is not an easy task since it depends on the specific platform, the imple- 
mentation of the algorithms and the message length distribution. The speedup 
estimates given in Table Q] are computed by making the following assumption: 
the algorithms are implemented using basic arithmetic and memory reference 
instructions available on RISC computer architectures. The speedup is com- 
puted by dividing the time needed to compute the tag using AES in a message 
authentication mode and the time needed to compute the tag using the pro- 
posed schemes. The execution time on the other hand is estimated based on the 
number of arithmetic and memory reference instructions required to compute 
the tag. 

We have considered two cases. In the first case, which is denoted 1 KB, the 
message length is 1024 bytes as in jjj. The speedup in this case approximates 
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the speedup when the message length distribution follows the IP packet size dis- 
tribution on the Internet. The time to compute the tag in this case includes the 
time needed to generate all the keys that are required to hash the message. In 
the second case, which is denoted oo, we assume that the keys used by the binary 
trees of the hash function are already generated and memorized. The time to 
compute the tag includes the time needed to generate the fresh keys used for 
the different segments of the message, but it does not include the time to gen- 
erate the keys used by the binary trees in the MACH hash. The speedup in the 
second case approximates the speedup when authenticating a single long mes- 
sage or authenticating a relatively long sequence of short messages (e.g., stream 
authentication, authenticating the packets exchanged between two routers in 
a VPN, authenticating the packets exchanged during a single communication 
session, etc.). 

MACH- AES and MACH-FES use AES components as building blocks. Hence, 
the estimation of their speedups is easier. The key generation cost is one AES 
encryption per 128 bits of the key material. Given the keys, the cost of hashing 
per 128-bit block is about 4 AES rounds for MACH- AES and 3 AES rounds for 
MACH-FES on 32-bit and 64-bit architectures. The AES matrix multiplication 
is relatively costly on 8-bit architectures (about 40 arithmetic operations). The 
mixing transformation is omitted in the fourth round of the non-linear func- 
tion used by MACH-AES. Thus, on 8-bit architectures, the cost of hashing is 
about 3.5 AES rounds per 128-bit block when using MACH-AES. For similar 
reasons, the cost of hashing is about 2.2 AES rounds per 128-bit block on 8-bit 
architectures when using MACH-FES. 

MACH-F64 uses an 8 X 8 multiplication matrix which is not a component of 
AES. Hence, the computation of the speedup is more complicated. A detailed dis- 
cussion on implementing this matrix multiplication on various platforms can be 
found in We will only note that the largest speedup values on 64-bit architec- 
tures are computed assuming that the non-linear transformation of MACH-F64 
is implemented using 8 look-up tables each one containing 256 64-bit entries. 
The memory required to store these tables is 16 KB, which is a relatively small 
portion of the LI cache of many processors. For example, AMD Athlon, Ultra- 
Sparc III and Alpha 21264 have 64 KB LI cache, PowerPC G4 and G5 have 32 
KB LI cache, etc. 

Summary. MACH-AES is less time and memory efficient than MACH-FES 
and MACH-F64. However, it provides much better security, and the achievable 
speedup over the message authentication modes is significant in some settings. 
MACH-F64 and MACH-FES provide security and tag lengths that are compa- 
rable to those of the message authentication modes. The target computer archi- 
tecture of the MACH-F64 design was a 64-bit architecture with large LI cache, 
and it is extremely efficient on these architectures. MACH-FES on the other 
hand is very efficient on 8-bit architectures, and achieves a significant speedup on 
32- and 64-bit architectures as well. Both MACH-AES and MACH-FES are built 
using AES components. So, they have the advantage of reusing AES software 
and hardware. 
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Abstract. GPUs offer a tremendous amount of computational band- 
width that was until now largely unusable for cryptographic computa- 
tions due to a lack of integer arithmetic and user-friendly programming 
APIs that provided direct access to the GPU’s computing resources. The 
latest generation of GPUs, which introduces integer /binary arithmetic, 
has been leveraged to create several implementations of the AES and 
DES symmetric key algorithms. Both conventional and bitsliced imple- 
mentations are described that achieve data rates on the order of 3-30 
Gbps from a single AMD HD 2900 XT graphics card, yielding speedups 
of 6-60x over equivalent implementations on high-performance CPUs. 

1 Introduction 

In recent years, there has been significant interest from both academia and in- 
dustry in applying commodity graphics processing units (GPUs) toward gen- 
eral computing problems [I]. This trend toward general-purpose computation on 
GPUs (GPGPU) is spurred by the large number of arithmetic units and the high 
memory bandwidth available in today’s GPUs. In certain applications, where 
there is a high compute to memory bandwidth ratio (a.k.a., arithmetic intensity) 
the GPU has the potential to be orders of magnitude faster than conventional 
CPUs due to the parallel nature of GPUs versus CPUs, which are inherently 
optimized for sequential code. In addition, the computational power of GPUs is 
growing at a faster rate than what Moore’s Law predicts for CPUs (Figure 1). 

With the introduction of native integer and binary operations in the latest 
generation of GPUs, we believe that bulk encryption and its related applications 
(e.g., key searching) are ideally suited to the GPGPU programming model. In 
this paper we demonstrate the viability of the GPGPU programming model 
for implementing symmetric key ciphers on GPUs. We examine high-efficiency 
bitsliced implementations of the AES and DES algorithms, as well as compare 
conventional block-based implementations of AES on previous/current genera- 
tion GPUs. We demonstrate AES and DES running on an AMD HD 2900 XT 
GPU to be up to 16 and 60 times faster respectively than high end CPUs. 

The following section describes previous work related to implementing sym- 
metric cryptographic algorithms on GPUs and vector-based processors. Next we 
describe GPU hardware architecture and programming APIs to provide context 
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Fig. 1. GPU vs. CPU GFLOPS performance over time 


for the GPGPU programming model. Bitsliced implementations of DES and 
AES are then described in the context of high-performance GPGPU-accelerated 
key searching applications that demonstrate the potential speedup of GPUs over 
conventional CPUs in certain classes of problems. Lastly, a comparison of a con- 
ventional block-based implementation of AES on both the current and previous 
generations of GPUs is presented to illustrate the computational advantages of 
the latest generation of GPUs. 


2 Previous Work 

Cook et al. j2| were the first to investigate the feasibility of using GPUs for 
symmetric key encryption. Using OpenGL they implemented AES on various 
previous-generation GPUs. Unfortunately, the limited capability of the graphics 
programming model they used limited their performance and prevented them 
from exploiting some of the programmable features of their hardware. Instead 
they were forced to use a fixed-function pipeline, rely on color maps to transform 
bytes, and exploit a hardware XOR unit in the output-merger stage. A complete 
execution of AES required multiple passes through the pipeline, which signifi- 
cantly impacted their performance. Their experiments found that the GPU could 
only perform at about 2.3% of the CPU rate when both were running code op- 
timized for their individual instruction sets. A recent OpenGL implementation 
0 on a NVIDIA Geforce 8800 GTS achieves rates of almost 3 Gbps. 

Vector processors have been considered for implementation of symmetric al- 
gorithms such as DES @j, and cryptography in general 0, which yielded some 
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performance increase. Recently, Costigan and Scott jHJ implemented RSA using 
the vector units of the Cell processor. They were able to achieve rates up to 7x 
faster using 6 vector units (SPU) over the onboard PowerPC unit (PPU). 

3 GPGPU Programming Model 

The latest generation of GPUs (e.g., Nvidia’s 8000 series or AMD’s HD 2000 
series) has adopted the unified shader programming model pioneered by AMD 
in the Xbox 360’s GPU |2j. In the unified shader model, all graphics functions 
are executed on programmable ALUs that can handle the different types of pro- 
grams (i.e., shader programs) that need to be run by the different stages of 
the conventional graphics pipeline. The programmable nature of these ALUs 
can be exploited to implement non-graphics functions using a virtualized SIMD 
processing programming model that operates on streams of data. In this pro- 
gramming model, arrays of input data elements stored in memory are mapped 
one-to-one onto the virtualized SIMD array, which executes a shader program 
to generate one or more outputs that are then written back to output arrays 
in memory. Each instance of a shader program running on a virtualized SIMD 
array element is called a thread. The GPU and its components map the array of 
threads onto a finite pool of physical shader processors (SPs) by scheduling the 
available resources in the GPU such that each element of the virtual SIMD array 
is eventually processed, at which point additional shader programs can also be 
executed until the application has completed. A simplified view of the GPGPU 
programming model and mapping of threads to the GPUs processing resources 
is shown in Figure 2. 



Fig. 2. Simplified view of the GPGPU programming model and thread mapping 
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Table 1. GPU characteristics 


X1950 XTX | 

HD 2900 XT 

# of SP Units 

48 

64 

# of ALU Units 

192 

320 

# of Memory Fetch Units 

16 

16 

SP Frequency 

650 MHz 

750 MHz 

Memory Frequency 

1 GHz 

825 MHz 

Memory Bandwidth 

64 GB/s 

105.60 GB/s 

Local Memory Size 

1 GB 

1 GB 


Modern GPUs are designed to be very efficient at running large numbers of 
threads (e.g., thousands/millions) in a manner that is transparent to the appli- 
cation/user. The GPU uses the large number of threads to hide memory access 
latencies by having the resource scheduler switch the active thread in a given 
SP whenever the current thread finds itself stalled waiting for a memory access 
to complete. Time multiplexing is also used in the SPs’ ALUs to execute multi- 
ple threads concurrently and hide the latency of ALU operations via pipelining. 
Both of these techniques require that a thread contains a large number of calcula- 
tions to improve the ability of the resource scheduler to hide the aforementioned 
latencies. When that condition is satisfied, the entire computational bandwidth 
of the GPU can be utilized to help GPGPU applications achieve performance 
increases on the order of 10 — 100 X over conventional CPUs. 

DirectX jH| and OpenGL jOJ are the standard programming APIs for GPUs 
and provide high-level languages for writing shader programs (e.g., HLSL and 
GLSL). However, these APIs are optimized for graphics and are difficult to use 
for non-graphics developers. Recently several projects have begun to try and 
abstract away the graphics-specific aspects of traditional GPU APIs (ins- mi, 
1 1 2| i . In this paper we use both DirectX and CTM [I3J. AMD’s GPU hardware 
interface API, which treats the GPU as a data parallel virtual machine. CTM 
allows shader programs to be written in both high-level (e.g., HLSL) and low- 
level (e.g., native GPU ASM) languages. Writing high-level shaders is similar to 
writing C code, except there are additional vector data types with multiple (up 
to four) accessible components. See [H| for a more complete description. Our 
implementations written in DirectX can run on any DirectX capable hardware. 
The bitsliced implementations described in the following sections could also be 
implemented on most modern graphics hardware. 

All of the experiments in this work were conducted on either an AMD Radeon 
X1950 XTX or an AMD Radeon HD 2900 XT GPU. The HD 2900 XT is the 
latest generation of AMD GPUs and uses a unified, superscalar shader processing 
architecture. Shader processors also share a limited number of memory fetch 
units, which are the physical devices that access memory. Table 1 summarizes 
the relevant GPU feature sets. With significantly more ALUs than memory fetch 
units, GPUs perform better on applications with high arithmetic intensity. 
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4 High-Performance Bitsliced DES Key Searching 
Application 

Bitslicing was first suggested by Biham in E5 las a means of exploiting large word 
widths in conventional CPUs to increase the bandwidth of software implementa- 
tions of symmetric algorithms. The HD 2900 XT can be utilized in a variety of 
configurations due to its flexible superscalar architecture. For this application we 
utilized it as a 2 x 64— bit wide processor with 64 individual processing cores to 
implement a bitsliced implementation of DES m for use in a key search applica- 
tion implemented using AMD’s CTM GPGPU programming infrastructure. The 
full width of the GPU (160-bits) was not used as the resulting register require- 
ments to store the entire cipher state and key vector would limit the number of 
threads executing at any given time, reducing overall program performance. 

The key search application partitions the key space of size 2 56 into 2 22 inde- 
pendent jobs that each check 2 34 keys. Each job is composed of 2 12 (64 x 64) 
individual program invocations (threads), each of which is run on a shader pro- 
cessor using an optimized bitsliced DES shader program written in the GPUs 
native assembly language. Each shader program computes 64 DES calculations in 
parallel, and iterates a total of 2 16 times, for a total of 2 22 key checks per thread. 
In general such a brute force searching application is of limited use, but combined 
with a directed, template-based approach, such as that used in popular password 
recovery utilities, or in conjunction with side channel techniques that are used to 
find a subset of the secret key bytes, it can prove to be a very potent tool capable 
of operating substantially faster than conventional CPU implementations. 

The bitsliced DES shader program utilizes the XOR, AND, OR, and NOT in- 
structions of the GPU to implement the necessary functions, which are primarily 
the eight DES S-boxes. Matthew Kwan’s optimized DES S-box implementations 
m were utilized as the basis for our implementation. Modifications were made 
to both the data format and S-box functions to enable two S-boxes to be com- 
puted concurrently (e.g., sboxl5 = sboxl and sbox5) as a means of reducing the 
execution time by almost a factor of 2. Table 2 compares the performance of 
the conventional and parallelized S-box implementations. The even/odd round 
distinction is required due to the alternating write-back of the left and right 
cipher states in the even/odd rounds when you leave the cipher state in place 
to eliminate DES’ right /left state swapping. The difference in instruction counts 
between the even/odd versions is due to the insertion of NOPs to avoid write 
conflicts within the ALU /register interface. 

S-box parallelization, combined with a reduction in the number of registers 
needed by the shader program, more than offset the fact that we are only able to 
use less than half of the full 160-bit width available in the shader processor for 
bitslicing. The net effect is approximately 2.5 x increase in overall performance 
using the 64-bit solution with S-box parallelization compared to a full-width 
(i.e., 128-bit) bitsliced solution. 

The resulting bitsliced implementation is shown graphically in Figure 3. The 
main loop consists of 16 rounds of S-box applications, along with short setup 
functions that mix in the necessary key bits for each round. The InitCipherState 
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Table 2. Comparison of DES S-box instruction counts 


Odd Round Even Round 
Instruction Instruction 


Instruction 
S-box Count 


S-box Count Count 


sboxl5 69 
sbox26 65 
sbox37 63 
sbox48 61 

Total 258 


72 

64 

63 

61 

260 


sboxl 67 
sbox2 60 
sbox3 61 
sbox4 46 
sbox5 66 
sbox6 61 
sbox7 61 
sbox8 58 
Total 480 


function loads IP-permuted plaintext(s) into the GPU using constants as they 
don’t change during the shader program’s execution. The CheckResult function 
compares the pre-IP -1 permuted output to a similarly formatted reference ci- 
phertext, generating a 64-bit bitmask of each bitsliced calculation where a “1” 
indicates a match was found (i.e., the reference plaintext encrypted with the key 
corresponding to that slice generated the reference ciphertext). Note that mul- 
tiple plaintexts and ciphertexts can be utilized as those values are passed in as 
simple parameters. When a match is found the necessary information required 
to reconstruct the corresponding key is written to the output array where it can 
be scanned by the application running on the CPU while the next job is being 
processed by the GPU, thereby incurring no overall result-checking performance 
penalty. The IncrementKey function increments the bitsliced key vector stored 
within the GPU using a simple bitsliced bit-serial addition on the 16 key bits 
that track the iteration number. 

The theoretical peak bandwidth of the GPU for the bitsliced DES calculation 
can be determined by computing the maximum rate that can be achieved by all 
64 SPs operating at their peak rate, ignoring any degradation in performance 
due to memory accesses and overhead: 


64 SPs X 750 M instructions / s x 64 blocks / iteration 
4691 instructions /iteration 


PeakRate = 


= 654.9 Mblocks/s 


The execution time of the shader program is key-invariant. The performance 
measured on HD 2900 XT hardware is shown in Figure 4. All measurements were 
based on timing the program across multiple iterations for several minutes of real 
time execution. The implementation achieves a maximum device utilization of 
83% for a maximum key checking rate of 545 Mkeys/s (i.e., encrypting 545M DES 
blocks per second, or 34.9 Gbps of data, though memory read/write bandwidth 
limitations may constrain this general case). The remaining 17% of the available 


Symmetric Key Cryptography on Modern Graphics Hardware 255 



Fig. 3. Bitsliced DES implementation instruction count 



performance is lost to the overhead associated with the scheduling and execution 
of the shader program on the GPU, along with the costs of reading/writing 
memory during execution. 

Figure 4 also shows the performance advantage of using the HD 2900 XT 
compared to a comparable bitsliced DES key search program using Matthew 
Kwan’s optimized S-boxes executing on a dual-core AMD 2.8 GHz Athlon FX- 
62 system. The CPU-based solution had a measured key checking rate of 9 
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Mkeys/s. Hence, a single-GPU solution can deliver on the order of a 19 — 60 x 
increase in performance over a single-CPU solution for this application. 

Lastly, Figure 4 demonstrates the effect of amortizing a portion of the fixed- 
cost overhead of processing on the GPU across multiple iterations, indicating 
that over 87% of the application’s maximum performance can be realized with 
as few as 32 iterations. 

5 High-Performance Bitsliced AES Key Searching 
Application 

A more relevant algorithmic exploration was undertaken to implement an efficient 
bitsliced AES [IHj version of the aforementioned DES key search application. The 
AES key search application partitions the key space of size 2 128 into 2 95 indepen- 
dent jobs that each check 2 33 keys. Each job is composed of 2 12 (64x64) individual 
threads, each of which executes an optimized bitsliced AES shader program writ- 
ten in the GPU’s native assembly language. Each shader program computes 32 
AES calculations in parallel, and iterates a total of 2 16 times, for a total of 2 21 
key checks per thread. With such an enormous key space of 2 128 , the only real- 
istic use of a brute-force AES-based key search application is as a component of 
the aforementioned directed, template-based key searching utilities, or helping to 
find missing key bytes in side channel attacks. In this sort of application having 
an accelerated AES engine can prove very beneficial to greatly reduce the search 
times over conventional CPU-based solutions. 

For bitsliced AES the HD 2900 XT shader processor is utilized as a 4 x 32— bit 
wide processor that processes four columns of 32 bitsliced AES state arrays in 
parallel. The bitsliced implementation computes the encryption key schedule on- 
the-fly using a transposed key array stored in the register file. The transposition 
is required to maximize the performance of the round key generation function. 
The bitsliced state and key array to register mappings are shown in Figure 5. 

The bitsliced AES shader program utilizes an optimized AES ByteSub/Shift- 
Row implementation that computes four columns in parallel, requiring four in- 
vocations to process the entire state array (i.e., 4 ByteSub/ShiftRow operations 
= SubBytes/ShiftRows operation defined in |T%|i. The AES S-boxes were im- 
plemented using the optimized normal basis composite S-box implementation 
described in and shown in Figure 6. Additional optimizations to eliminate 
redundant calculations/storage were used to yield a final implementation requir- 
ing 126 instructions, which is substantially less than previously reported bitsliced 
AES S-box solutions (e.g., 205 instructions in |ZDjh 

The round key update function (Figure 7) exploits the transposed key array 
and optimized ByteSub/ShiftWord function to yield a 160 instruction operation. 
The transposition of the key array is undone when the round key is XORed into 
the state array using a transposed XOR operation that has no performance 
penalty since the transposition is done via register addressing. 

The resulting bitsliced AES implementation is summarized graphically in 
Figure 8. The main loop adds some additional initialization as both state and 
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Fig. 5. Bitsliced AES register mapping of state and key arrays 



Fig. 6. Composite normal basis S-box implementation 


key arrays need to be reset. The ByteSub/ShiftRow, UpdateRoundKey, and 
AddRoundKey functions have already been discussed. The MixColumns func- 
tion processes all four columns in parallel, in-place, and in a single invocation. 
The CheckResult and IncrementKey functions are functionally equivalent to 
previously described bitsliced DES functions. As in the case of DES, arbitrary 
plaintexts and ciphertexts can be used, and, as previously mentioned, the key 
schedule is computed on-the-fly. With pre-generated keys, the performance could 
be increased by 23%. 

The theoretical peak bandwidth of the GPU for bitsliced AES calculations 
can be computed as with DES using the formula: 

„ , „ 64 SPs x 750 M instructions / s x 32 blocks / iteration 

PeakRate = — 

8560 instructions / iteration 

= 179.4 Mblocks/s ( w/key generation) 
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The execution time of the shader is key- invariant. The performance measured 
on HD 2900 XT hardware is shown in Figure 9. All measurements were based 
on timing the program across multiple iterations for several minutes of real time 
execution. The implementation achieves a maximum device utilization of 81% for 
a maximum key checking rate of 145 Mkeys/s (i.e., encrypting 145M blocks per 
second, or 18.5 Gbps of data, though memory read/write bandwidth limitations 
may constrain the general case) . 



Fig. 7. Round key update function 
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Fig. 8. Bitsliced AES implementation instruction count 
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Fig. 9. Measured bitsliced AES performance 


Figure 9 also compares the performance on the GPU to two previously re- 
ported software implementations (EH. EH)- The authors of j2D| describe a non- 
bitsliced implementation on an AMD Athlon 64 3500+ CPU running @ 2.2 GHz 
at a rate of 2200 MHz / 170 cycles/block ~ 13 Mblocks/s. The authors of [2Tj 
describe a non-bitsliced implementation on an AMD Opteron 64 CPU running 
@ 2.4 GHz at a rate of 2400 MHz / 254 cycles/block ~ 9 Mblocks/s. Unfortu- 
nately, simple comparisons to our work aren’t possible as neither implementation 
generates their key schedule on the fly, which is required in a key searching ap- 
plication. Figure 9 attempts to normalize the key generation process out of the 
equation by removing the key generation portion of our implementation since 
we don’t have the necessary information to derate the results of [ZDI and m 
Hence Figure 9 shows GPU implementation’s results prorated by the aforemen- 
tioned 23% attributed to round key generation. Hence, a single-GPU solution 
can deliver on the order of 6 — 16 x increase in performance over a single-CPU 
solution for this application. 

As with the bitsliced DES implementation, Figure 9 demonstrates the amorti- 
zation effect of running multiple loop iterations, indicating that over 85% of the 
application’s maximum performance can be realized with as few as 8 iterations. 

6 Conventional Block-Based AES Implementation 

In this section, we describe the implementation of a conventional block-based 
AES decryption implementation on both the previous-generation X1950 XTX 
GPU, which only has floating point ALU units, and the current HD 2900 XT 
GPU that features an enhanced instruction set with full integer support. Even 


260 J. Yang and J. Goodman 


with the availability of full integer support, it is still important to understand 
implementations on earlier GPUs because they are still used in low-cost graphics 
cards. 


6.1 Implementation Using Only Floating Point Hardware 

The entire 128-bit state array is transformed in parallel using four registers 
containing 4 bytes each stored in the transposed, unpacked format shown in 
Figure 10. When reading in an integer value, floating point GPU hardware nor- 
malizes the input to range from 0 to 1, which is accounted for in the shader 
program that implements AES. 


128 bits > 

< • 32 bits > 

W component Z component Y component X component 



Fig. 10. AES state array register storage mapping 


The internal floating-point representation introduces complications with the 
required XOR operation. | 2 | proposed using XORs in the output stage which 
incurs a steep penalty due to the overhead involved with issuing multiple passes 
through the GPU’s pipeline. One alternative is to use the GPU’s native in- 
struction set to implement a XOR function at the cost of 20 instructions per 
4 x 8— bit row of the state array. A more economical solution is to utilize a 
256 x 256 table-lookup in local memory to implement each 8-bit XOR operation 
in a single instruction. The cost of this approach is the memory latency associ- 
ated with performing the lookup, but GPUs are optimized to hide these latencies 
by efficiently switching to other threads whenever a stall occurs due to fetching 
data from memory. However, a 256 x 256 (64 KB) lookup table is actually quite 
large, so a hybrid approach can also be used that processes the 8-bit XOR as 
two 4-bit XORs through a combination of a 16 x 16 (256 bytes) lookup table 
or ALU instructions. Table 3 compares the performance of the different XOR 
alternatives; however, actual performance in the full AES implementation will 
depend on shader instruction ordering. 
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Table 3. Performance of 8-bit XOR operations on the X1950 XTX 


Shader Type | XORs per sec 

ALU Only 

6307 M 

256x256 Table 

778 M 

16x16 Table 

2980 M 

Hybrid 

4877 M 


The GPU-based AES implementation is performed using the T-box approach 
described in the original Rijndael submission m to the AES contest: 

T r0 und[x] T round [x] T rmmd [x] TroundW 

s' 0 c = (OE-Sbox [so, c ] ) A (OB-Sbox [s iiC ] ) A (OD-Sbox [s 2 , c ] ) A (09-Sbox [s 3 iC ] ) 

s' 1)C = (09-Sbox [so, c ] ) A (OE-Sbox [s iiC ] ) A (OB-Sbox [s 2 , c ] ) A (OD-Sbox [s 3 )C ] ) 

s 2,c = (OD-Sbox [so >c ] ) A (09-Sbox [si iC ] ) A (OE-Sbox [s 2 , c ] ) A (OB-Sbox [s 3 )C ] ) 

s' 3 ’ c = (OB-Sbox [s 0 , d) A (OD-Sbox [s 1)C ]) A (09-Sbox [s 2>c ] ) A (OE-Sbox [s 3>c ] ) 

Using the above implementation, each column of the state array would require 
4 lookups to compute the GF(2 8 ) multiplications (each fetch can return 4 x 8— bit 
values simultaneously) and 12 lookups for computing the 8-bit XORs, assuming 
1 fetch per XOR, for a total of 64 lookups per round. The number of lookups 
can be reduced to 24 by combining two GF(2 8 ) multiplications and XORs into 
a single lookup table. Hence, every lookup of T roun< i[x, y\ would return a 4-tuple 
containing [0E- x A OB- y, 09- x A 0E- y. 0D- x A 09- y, OB- x A 0D- y] which reduces 
each state array column update to 6 lookups (2 for the multiplications and 4 for 
the XORs), or 24 MixColumns lookups per round. With swizzling, the ability for 
hardware to arbitrarily access register components, only one table is required. 

AddRoundKey is implemented using a similar lookup based technique that 
requires us to pre-process the key expansion table and XOR it with the range of 
8-bit values forming a 2D lookup table that can be accessed using 16 lookups. 
Every byte in every round maps to a specific entry in the key expansion, so every 
table access is of the form Tk eya dd [byte_value, key .entry]. For the last round, 
which has no MixColumns operation, the S-Box transform is also included. 

The following shader program pseudo-code processes one complete column of 
the round function: 

float4 a, b, t, cO; 
a = T round [rO . w , r3 . z] ; 

b = Tround [r2.y, rl.x] ; 

t = X0R(a, b); 

cO.w = T keyadd [t.x, round.off set] ; 
cO.z = T keyadd [t.y, round.offset + 1]; 
cO.y = T keyadd [t.z, round.offset + 2]; 
cO.x = T keyadd [t.w, round.of f set + 3]; 

Assuming a single lookup per 8-bit XOR, the complete round function is 40 
lookups. 
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When the shader program has processed all 10 rounds the 128-bit state array 
is written out to memory. The hardware can write four outputs simultaneously, 
which is used to write back the state as four, 4 x 8— bit values, each representing 
a row in the transposed state array (e.g., s Ci o, s c ,ij s c , 2 , or s Ci3 in Figure 10). 

The measured performance of this straightforward implementation is approx- 
imately 315 Mbps on a X1950 XTX and 380 Mbps on a HD 2900 XT. This 
assumes all input blocks use the same key and does not include the key ex- 
pansion which can be computed on the CPU in parallel with previous GPU 
computations such that it can be effectively hidden in a well-balanced imple- 
mentation. The performance is limited due to the number of lookups, which can 
be a penalty if there are not enough threads and ALU instructions to hide the 
associated memory access latencies. This is why performance does not scale by 
the number of ALU units, because both GPUs have the same number of mem- 
ory fetch units. In addition, the random nature of the fetches due to the mixing 
properties of the AES algorithm impacts the ability of the GPU to use caching 
to minimize the memory access latencies of the lookups. 

One possible optimization replaces the 2D round processing lookup tables with 
a 3D table that incorporates three GF(2 8 ) multiplies and two XORs, as well as 
a 2D table that incorporates the fourth GF(2 8 ) multiply and round key XOR. 
This reduces the entire round function to 24 lookups. In this mode, performance 
increases to 770 Mbps. However, the memory requirements are greatly increased 
as we now need a 256 x 256 x 256 (16 MB) lookup table. 

Taking advantage of latency hiding, a fully optimized shader using hybrid 
XORs performs at 840 Mbps on a X1950 XTX and 990 Mbps on a HD 2900 XT. 

6.2 Implementation on the HD 2900 XT 

AMD’s HD 2900 XT allows for native integer operations and data types, as well 
as the ability to access data structures in memory (i.e., lookup tables) using 
integer values. XORs can be computed using the native XOR instruction of 
the GPU, so all 256 x 256 byte lookup tables with precomputed XORs from the 
previous section can be replaced with much smaller 256 x 4 byte tables (similar to 
CPU implementations) and their results summed using explicit XOR operations. 
Hence, the round operation shader code can be greatly simplified: 

float4 cO, rO; 

cO = txMCol [rO.w] .wzyx A txMCol[r3.z] . xwzy A 
txMCol [r2 . y] . yxwz A txMCol [r 1. x] .zyxw; 

rO = cO A T keyadd [round_of f set] ; 

With swizzling, only a single table is needed to represent an entire state array col- 
umn update (e.g., four S-Box transforms and four GF(2 8 ) multiplies) in one lookup. 

The AddRoundKey step requires the key expansion to be stored as a separate 
lookup table and the XOR is performed in the shader. In the very last round, 
SubBytes must be performed without the MixColumns. Previously we would 
have to precompute this into a dedicated lookup table, but now we perform sep- 
arate lookups for all the S-Box transform values and then a final AddRoundKey. 
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With these changes, we can achieve rates of 3.5 Gbps on the HD 2900 XT 
compared to an optimized bitsliced implementation on a CPU running at 1.6 
Gbps PH and the floating point versions on X1950 XTX and HD 2900 XT GPUs 
running at 840 Mbps and 990 Mbps respectively. This is about 2x faster than 
a CPU and 3.5 x faster than the floating point implementation. This is also 
comparable to the performance achieved by jS| using OpenGL on a NVIDIA 
Geforce 8800. Although the floating point implementation runs at half the rate 
of the CPU, this is still considerably better than 2.3% found by j2j- 

7 Conclusion and Future Work 

In this work we have demonstrated both that GPUs can execute symmetric key 
ciphers, and that that they can perform significantly faster than CPUs in certain 
applications. Bitsliced DES on a single HD 2900 XT was shown to operate up 
to 60 times faster than on a CPU, and bitsliced AES was shown to run up to 16 
times faster. 

We also demonstrated the advantages of the latest generation of GPUs over 
the previous generation. A block-based GPU implementation of AES runs 4x 
faster on the latest generation of GPUs versus the previous generation and 2x 
faster than a CPU version. 

It should be noted that the GPU is optimized for algorithms that are parallel 
in nature with high arithmetic intensity. Hence, when programs must be executed 
serially, such as when there are dependencies between threads, then CPUs will 
outperform GPUs. This will be the case for certain block cipher operating modes 
such as CBC encryption due to the dependencies between successive blocks, 
unless there are a sufficient number of streams that can be processed in parallel 
to provide the large number of independent threads required to extract the 
performance in the GPU. 

We believe that the entire gamut of cryptography is waiting to be explored with 
current and future GPU hardware. Algorithmic exploration awaits on the sym- 
metric algorithm front with investigations of efficient implementations of other 
block/stream ciphers, particularly those amenable to bitsliced implementations 
that can leverage the large datapath width inherent in modern GPUs. In addi- 
tion, the word-level integer support should be exploitable in conventional hashing 
algorithms to achieve significant performance increases over conventional CPUs. 
One particularly interesting area of potential research is finding efficient mappings 
of the integer support on the latest generation of GPUs to DH/RSA/ECC, and 
other generic integer arithmetic algorithms. With processor design trending to- 
wards multi-core, and combining CPU(s) and GPU(s) on a single die, the GPU 
would appear to be a good research platform for future algorithm development. 
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Abstract. In an identity-based encryption (IBE) scheme, there is a key 
extraction protocol where a user submits an identity string to a master 
authority who then returns the corresponding secret key for that identity. 
In this work, we describe how this protocol can be performed efficiently 
and in a blind fashion for several known IBE schemes; that is, a user can 
obtain a secret key for an identity without the master authority learning 
anything about this identity. 

We formalize this notion as blind IBE and discuss its many practi- 
cal applications. In particular, we build upon the recent work of Ca- 
menisch, Neven, and shelat na to construct oblivious transfer (OT) 
schemes which achieve full simulatability for both sender and receiver. 
OT constructions with comparable efficiency prior to Camenisch et al. 
were proven secure in the weaker half-simulation model. Our OT schemes 
are constructed from the blind IBE schemes we propose, which require 
only static complexity assumptions ( e.g ., DBDH) whereas prior compa- 
rable schemes require dynamic assumptions {e.g., g-PDDH). 


1 Introduction 

In an oblivious transfer (OT % ) protocol, introduced by Rabin and general- 
ized by Even, Goldreich and Lempel E3. and Brassard, Crepeau and Robert m, 
a Sender with messages Mi, . . . , Mjy and a Receiver with indices <j\, . . . , ak S 
[1, N] interact in such a way that at the end the Receiver obtains M ai , ... , M„ k 
without learning anything about the other messages and the Sender does not 
learn anything about <ti, . . . , cp.. Naor and Pinkas were the first to consider an 
adaptive setting, OTj^ xl , where the sender may obtain before deciding 

on a i j.'lfij . Oblivious transfer is a useful, interesting primitive in its own right, 
but it has even greater significance as OT^ is a key building block for secure 
multi-party computation |4bl28l32j . Realizing efficient protocols under modest 
complexity assumptions is therefore an important goal. 

The definition of security for oblivious transfer has been evolving. Informally, 
security is defined with respect to an ideal-world experiment in which the Sender 
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and Receiver exchange messages via a trusted party. An OT protocol is secure if, 
for every real-world cheating Sender (resp., Receiver) we can describe an ideal- 
world counterpart who gains as much information from the ideal-world interac- 
tion as from the real protocol. Bellare and Micali [I] presented the first practical 
OT \ protocol to satisfy this intuition in the honest-but-curious model. This was 
followed by practical OT protocols due to Naor and Pinkas fd bid bid 7] in the “half- 
simulation” model where the simulation-based model (described above) is used 
only to show Sender security and Receiver security is defined by a simpler game- 
based definition. Almost all efficient OT protocols are proven secure with respect 
to the half-simulation model, e.g., jdbldbld7l24ld8ldlj . Unfortunately, Naor and 
Pinkas demonstrated that this model permits selective-failure attacks, in which a 
malicious Sender can induce transfer failures that are dependent on the message 
that the Receiver requests ESI- 

Recently, Camenisch, Neven, and shelat ca proposed practical OT^ xl pro- 
tocols that are secure in the “full-simulation” model, where the security of both 
the Sender and Receiver are simulation-based. These simulatable OT protocols 
are particularly nice because they can be used to construct other cryptographic 
protocols in a simulatable fashion. More specifically, Camenisch et al. H2j pro- 
vide two distinct results. First, they show how to efficiently construct OT^ xl 
generically from any unique blind signature scheme in the random oracle model. 
The two known efficient unique blind signature schemes due to Chaum m 
and Boldyreva 0 both require interactive complexity assumptions: one-more- 
inversion RSA and chosen-target CDH, respectively. (Interestingly, when instan- 
tiated with Chaum signatures, this construction coincides with a prior one of 
Ogata and Kurosawa m that was analyzed in the half-simulation model.) Sec- 
ond, they provide a clever OT^ xl construction in the standard model based on 
dynamic complexity assumptions, namely the g- Power Decisional Diffie-Hellman 
(i.e., in a bilinear setting e:GxG-* Gt, given (g, g x ,g x , . . . , g x . H) where 
g «— G and H G t, distinguish (H x , H x , . . . , H x ) from random values) and q- 
Strong Diffie-Hellman (g-SDH) assumptions. (Unfortunately, Cheon showed that 
g-SDH requires larger than commonly used security parameters These dy- 
namic (including interactive) assumptions seem significantly stronger than those, 
such as DDH and quadratic residuosity, used to construct efficient OT schemes 
in the half-simulation model. Thus, a well- motivated problem is to find efficient, 
fully-simulatable OT schemes under weaker complexity assumptions. 

Our Contributions. In this work, we provide, to our knowledge, the first efficient 
and fully-simulatable OT * and OT^ xl schemes secure under static complexity 
assumptions (e.g., DBDH, where given ( g,g a ,g b ,g c ), it is hard to distinguish 
e(g,g) abc from random). We summarize our results as follows. 

First, we introduce a building block, which is of independent interest. In 
identity-based encryption (IBE) sa. there is an extraction protocol where a 
user submits an identity string to a master authority who then returns the cor- 
responding decryption key for that identity. We formalize the notion of blindly 
executing this protocol, in a strong sense; where the authority does not learn the 
identity nor can she cause failures dependent on the identity, and the user learns 
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nothing beyond the normal extraction protocol. This concept has similarities to 
recent work by Goyal ES|, in which a user wishes to hide certain characteristics 
of an extracted IBE key from the authority. In Tl. 1 1 we describe efficient blind 
extraction protocols satisfying this definition for the IBE schemes due to Boneh 
and Boyen £] and Waters £U (using a generalization proposed independently 
by Naccache m and Chatterjee and Sarkar inn- The latter protocol is similar 
to a blind signature scheme proposed by Okamoto jSS|- We call IBE schemes 
supporting efficient blind extraction protocols: blind IBE, for short. 

Second, we present an efficient and fully-simulatable OT^ protocol con- 
structed from any of the proposed blind IBE schemes (without requiring ad- 
ditional assumptions), and thus our constructions are secure under only DBDH. 
Intuitively, consider the following OT^ construction. The Sender runs the IBE 
setup algorithm and sends the corresponding public parameters to the Receiver. 
Next, for i = 1 to N, the Sender encrypts Mi under identity “i” and sends this 
ciphertext to the Receiver. To obtain k messages, the Receiver blindly extracts 
k decryption keys for identities of his choice and uses these keys to decrypt and 
recover the corresponding messages. While this simple protocol does not appear 
to be simulatable, we are able to appropriately modify it. (Indeed, one must 
also be cautious of possibly malformed ciphertexts, as we discuss later.) Our 
constructions from blind IBE are inspired by the Camenisch et al. m generic 
construction from unique blind signatures. Indeed, recall that the secret keys 
skid of any fully-secure IBE can be viewed as signatures by the authority on the 
message id [S|. Camenisch et al. require unique blind signatures, whereas we 
do not; however, where they require unforgeability, we require that our “blind 
key extraction” protocol does not jeopardize the semantic security of the IBE. 

Third, we present an efficient and fully-simulatable 0T^ xl protocol con- 
structed from our proposed blind IBE schemes in the random oracle model. 
We discuss how to remove these oracles at an additional cost. This improves on 
the complexity assumptions required by the comparable random-oracle scheme 
in Camenisch et al. m although we leave the same improvement for their adap- 
tive construction without random oracles as an open problem. Finally, in SJ3 we 
discuss the independent usefulness of blind IBE to other applications, such as 
blind signatures, anonymous email, and encrypted keyword search. 

2 Technical Preliminaries 

Let BMsetup be an algorithm that, on input the security parameter 1 K , outputs 
the parameters for a bilinear mapping as 7 = ( q , g, G, G t, e), where g generates 
G, both G and G t have prime order q, and e:GxG-t Gt- In our schemes, 
we will require that the correctness of these parameters be publicly verifiable 
(Chen et al. describe efficient techniques for verifying these parameters in 
a typical instantiation). We will refer to the following complexity assumption 
made in these groups. 

Decisional Bilinear Diffie-Hellman (DBDH) Let BMsetup(l K ) — > ( q,g , 

G, G t, e). For all p.p.t. adversaries Adv, the following probability is strictly less 
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than 1/2 + l/poly(«): Pr [a,b,c,d <- Z q ; x 0 <- e(g,g) abc \ x x e(g,g) d ; z <- 
{0, 1}; z' «- Adv(<?, g a , g b , g c , x z ) : z = z% 

Known Discrete-Logarithm-Based, Zero-Knowledge Proofs. We use known tech- 
niques for proving statements about discrete logarithms, such as (1) proof of 
knowledge of a discrete logarithm modulo a prime g2|, (2) proof that a com- 
mitted value lies in a given integer interval |1HI1 H8j . and also (3) proof of the 
disjunction or conjunction of any two of the previous m- These protocols are 
secure under the discrete logarithm assumption, although some implementations 
of (2) require the Strong RSA assumption. 

When referring to the proofs above, we will use the notation of Camenisch 
and Stadler cx For instance, PoK{(x,r) : y = g x h r A (1 < x < n)} denotes a 
zero-knowledge proof of knowledge of integers x and r such that y = g x h r holds 
and 1 < x < n. All values not in enclosed in ()’s are assumed to be known to 
the verifier. We can apply the Fiat-Shamir heuristic m to make such proofs 
non-interactive in the random oracle model. 

Commitments. Let (CSetup, Commit, Decommit) be a commitment scheme where 
CSetup generates public parameters p; on input a message M, Commit (p,M) 
outputs a pair ( C,V ); and Decorum it(p, M,C,V) outputs 1 if V decommits C 
to M, or 0 otherwise. Our subsequent constructions require an efficient proto- 
col for proving knowledge of a decommitment V with respect to ( p,M,C ). We 
recommend using the Pedersen commitment scheme gD| based on the discrete 
logarithm assumption, in which the public parameters are a group of prime or- 
der q, and random generators (go, , g rn ). In order to commit to the values 
(«i, . . . , v m ) e Z™, pick a random reZ, and set C = g$ n*Li dT an< A D = r. 
Schnorr’s technique is used to efficiently prove knowledge of the value V = r. 

3 Blind Identity-Based Encryption 

An identity-based encryption (IBE) scheme supports two types of players: a 
single master authority and multiple users; together with the algorithms Setup, 
Encrypt, Decrypt and the protocol Extract. Let us provide some input/output 
specification for these protocols with intuition for what they do. 

Notation: Let 1 be the identity space and M. be the message space. We write 
P(A(a ) , B(b)) — > (c, d) to indicate that protocol P is between parties A and B. 
where a is A’s input, c is A's output, b is B' s input and d is S’ s output. 

- In the Setup(l re , c(k)) algorithm, on input a security parameter 1 K and a 
description of an the identity space \I\ < 2 C| ^ where c(-) is a computable, 
polynomially-bounded function, the master authority V outputs master pa- 
rameters params and a master secret key msk. 

- In the Extract (P(params, msk), U (params, id.)) — *• (id, skid) protocol, an hon- 
est user U with identity id G I obtains the corresponding secret key skid from 
the master authority V or outputs an error message. The master authority’s 
output is the identity id or an error message. 
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- In the Encrypt (params, id, m) algorithm, on input identity id £ X and mes- 
sage msM, any party can output ciphertext C. 

- In the Decrypt(params,id, skid,C) algorithm, on input a ciphertext C, the 
user with skid outputs a message m £ M or the distinguished symbol <j>. 

Definition 1 (Selective-Identity Secure IBE (IND-sID-CPA) jltSj). Let k be 

a security parameter, c(-) be a polynomially-bounded function, \T\ < 2 C W and M. 
be the message space. An IBE is I N D-s I D- C PA- secure if every p.p.t. adversary 
A has an advantage negligible in k for the following game: (1) A outputs a 
target identity id* £ T. (2) Run Setup(l re , c(k)) to obtain (params , msk) , and 
give params to A. (3) A may query an oracle Op arams>ms k{ ■) polynomially many 
times, where on any input id ^ id* in T, the oracle returns skid, and on any 
other input, the oracle returns an error message. (4) A outputs two messages 
mo, mi £ M where |mo| = \m\\. Select a random bit b and give A the challenge 
ciphertext c* <— Encrypt (params, id*, mb). (5) A may continue to query oracle 
Omsk(-) under the same conditions as before. (6) A outputs b' £ {0,1}- We 
define A’s advantage in the above game as |Pr \bf = b] — 1/2|. 

On stronger notions of ciphertext security for IBE. A stronger notion of cipher- 
text security for IBE schemes is adaptive-identity security (IND-ID-CPA) j^j, 
which strengthens the IND-sID-CPA definition by allowing A to select the target 
identity id* at the start of step (4) in the above game. In Hd.'ll we show blind 
IBE schemes satisfying both IND-sID-CPA and IND-ID-CPA security. Fortunately, 
our oblivious transfer applications in ^require only IND-sID-CPA-security (be- 
cause the “identities” will be fixed integers from 1 to poly(rt)), some additional 
applications in ^require the stronger IND-ID-CPA-security. 

Blind IBE. So far, we have only described traditional IBE schemes. A blind IBE 
scheme consists of the same players, together with the same algorithms Setup, 
Encrypt, Decrypt and yet we replace the protocol Extract with a new protocol 
BlindExtract which differs only in the authority’s output: 

- In the BlindExtract (V (params, msk), II (params, id)) —* (nothing, skid) proto- 
col, an honest user U with identity id £ 1 obtains the corresponding secret 
key skid from the master authority V or outputs an error message. The 
master authority’s output is nothing or an error message. 

We now define security for blind IBE, which informally is any IN D-s ID- CPA- 
secure IBE scheme with a BlindExtract protocol that satisfies two properties: 

1. Leak-free Extract: a potentially malicious user cannot learn anything by 

executing the BlindExtract protocol with an honest authority which she could 
not have learned by executing the Extract protocol with an honest authority; 
moreover, as in Extract, the user must know the identity for which she is 
extracting a key. 

2. Selective-failure Blindness: a potentially malicious authority cannot 

learn anything about the user’s choice of identity during the BlindExtract pro- 
tocol; moreover, the authority cannot cause the BlindExtract protocol to fail 
in a manner dependent on the user’s choice. 
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Of course, a protocol realizing the functionality BlindExtract (in a fashion 
that satisfies the properties above) is a special case of secure two-party compu- 
tation |4fil28l32| . However, using generic tools may be inefficient, so as in the 
case of blind signature protocols, we seek to optimize this specific computation. 
Let us now formally state these properties. 

Definition 2 (Leak- Free Extract). A protocol BlindExtract = (V.U) associ- 
ated with an IBE scheme II = (Setup, Extract, Encrypt, Decrypt) is leak free if 
for all efficient adversaries A, there exists an efficient simulator S such that for 
every value k and polynomial c(-), no efficient distinguisher D can distinguish 
whether A is playing Game Real or Game Ideal with non-negligible advantage: 
Game Real: Run (params, msk ) «— Setup(l K , c(k)). As many times as D wants, 
A chooses an identity id and executes the BlindExtract protocol with V: 
BlindExtract (V(params, msk),A(params, id)). 

Game Ideal: Run ( params , msk) <— Setup(l r \ c(k)). As many times as D wants, 
S chooses an identity id and queries a trusted party to obtain the output of 
Extract (params, msk, id), if id £l and _L otherwise. 

Here D and A (or S) may communicate at any time. Also, params defines T. 

This definition implies that the identity id (for the key being extracted) is ex- 
tractable from the BlindExtract protocol, since S must be able to interact with 
A to learn which identities to submit to the trusted party. We will make use 
of this observation later. Another nice property of this definition is that any 
key extraction protocol with leak-freeness (regardless of whether blindness holds 
or not) composes into the existing security definitions for IBE. (This would not 
necessarily be true of a blind signature protocol for the same type of signatures.) 
We state this formally below. 

Lemma 1 . If 77 = (Setup, Extract, Encrypt, Decrypt) is an IND-sID-CPA-secure 
(resp., IND-ID-CPA ) IBE scheme and BlindExtract associated with 77 is leak-free, 
then n' = (Setup, BlindExtract, Encrypt, Decrypt) is an IND-sID-CPA-secure 
(resp., IND-ID-CPA) IBE scheme. 

Next, we define the second property of blindness. We use a strong notion of 
blindness called selective-failure blindness proposed recently by Camenisch et 
al. Ha, ensuring that even a malicious authority is unable to induce BlindExtract 
protocol failures that are dependent on the identity being extracted. 

Definition 3 (Selective-Failure Blindness (SFB) ( 121 ). A protocol P(A(-), 
U(-, •)) is said to be selective-failure blind if every p.p.t. adversary A has a neg- 
ligible advantage in the following game: First, A outputs params and a pair of 
identities ido, id\ gl. A random b e {0, 1} is chosen. A is given black-box access 
to two oracles U (params, id},) and U (params, idb~i). TheU algorithms produce 
local output skb and skb-i respectively. If skb 7 ^ T and skb- i 7 ^ T then A re- 
ceives (sko, ski). If skb = -L and skb- 1 7^ -L then A receives (i*#)- If skb 7^ -L 
and skb- 1 = -L then A receives (e, _L). If skb =* -L and skb- 1 = -L then A receives 
(_L,_L). Finally, A outputs its guess b' . We define A’s advantage in the above 
game as |Pr [b r = 6] — 1/2|. 
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We thus arrive at the following definition. 

Definition 4 (Secure Blind IBE). A blind IBE 77 = (Setup, Blind Extract, 
Encrypt, Decrypt) is called I ND-sID-CPA -secure (resp. IND-ID-CPA ) if and only 
if: (1) II is IND-sID-CPA-secune (resp. IND-ID-CPA), and (2) BlindExtract is leak 
free and selective-failure blind. 


3.1 IBE Schemes with Efficient BlindExtract Protocols 

In this section, we describe efficient BlindExtract protocols for: (1) the IND-sID- 
CPA-secure IBE due to Boneh and Boyen j3j and (2) the I ND- ID- CPA-secure IBE 
proposed independently by Naccache m and Chatterjee-Sarkar H3 which is a 
generalized version of Waters IBE (l-lj . Note that in 43. 31 wo will be adding some 
additional features to these IBE schemes; these will help us to construct oblivious 
transfer protocols in 0 Since all of these schemes share a similar structure, we’ll 
begin by describing their common elements. 

Setup(l K , c(k))\ Let 7 = (q,g,G,Gr,e) be the output of BMsetup(l K ). Choose 
random elements h, gi £ G and a random value a £ Z q . Set gi = g a . Finally, 
select a function F : X — *• G that maps identities to group elements. (The 
descriptions of F and X will be defined specific to the schemes below.) Output 
params = ( 7 , g, gi,g 2 , h, F) and msk = g% ■ 

Extract: Identity secret keys are of the form: skid = (do, d\) = (gf • F(id) r ,g r ), 
where r S Z, is randomly chosen by the master authority. Note that the 
correctness of these keys can be publicly verified using a test described below. 
Encrypt (params, id, M): Given an identity id £ X, and a message M £ Gt, select 
a random sgZ, and output the ciphertext C = (e(si , g-i) 8 ■ M,g s ,F(id) s ). 
Decrypt(params,id, skid,Cid)'‘ On input a decryption key skid = (do ■ d\ ) £ G 2 
and aciphertext C = (X,Y,Z) £ GyxG 2 , output M = X-e(Z,di)/e(Y,do). 

Next, we’ll describe the precise format of the secret keys sk u j. and corresponding 
BlindExtract protocols for particular IBEs. 


A BlindExtract Protocol for an I ND-s ID- CPA- Secure IBE. In the Boneh- 
Boyen IBE 0, 1 C Z, and the function F : I — > G is defined as F(id) = h ■ g\ d . 
A secret key for identity id, where r £ h q is random, is: 

sku = (do,dx) = (<?2 ' F(id) r , g r ) = (g% ■ (h ■ g[ d ) r ,g r ). 

The protocol BlindExtract (V (params, msk), U (params, id)) is described in Fig- 
ured Recall that U wants to obtain skid without revealing id, and V wants to 
reveal no more than sk^. Let 77i be the blind IBE that combines algorithms 
Setup, Encrypt, Decrypt with the protocol BlindExtract in Figured 

Theorem 1. Under the DBDH assumption, blind IBE 77i is secure (according 
to Definitional; i.e.. BlindExtract is both leak-free and selective-failure blind. 

A proof of Theorem d is presented in the full version of this work m. 
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V(params, msk) 

Ufparams, id) 


1. Choose y - 3 - Z q . 

2. Compute h! *— g y g\ d and send h! to V . 

3. Execute PoK{(y, id) : hi = g y g'i}- 

4. If the proof fails to verify, abort. 

5. Choose r 4- Z q . 


6. Compute d' 0 <— <?2 • [h'h) r . 

7. Compute d'l <— g r . 

8. Send (do, d[) to U. 

9. Check that e(gi,g2) ■ e(d' 1 ,h'h) = e(d' 0 , g). 

10. If the check passes, choose 2 <— Z q ; 
otherwise, output T and abort. 

11. Compute do <— (do/(d'i) H ) • F(id) z 
and di <— d'i • g z . 

12. Output sk^ = (do,di). 


Fig. 1. A BlindExtract protocol for the Boneh-Boyen IBE 


A BlindExtract Protocol for an IND-ID-CPA-Secure IBE. In the general- 
ized version of Waters IBE El, proposed independently by Naccache ei and 
Chatterjee and Sarkar , the identity space 1 is the set of bit strings of length 
N, where N is polynomial in k, represented by n blocks of t bits each. The 
function F : {0, 1 } N — > G is defined as F(id) = h ■ n"=i u j 3 , where each Uj G G 
is randomly selected by the master authority and each dj is an f'-bit segment of 
id. Naccache discusses practical IBE deployment with N = 160 and t = 32 El- 
A secret key for identity id, where r G h q is random, is: 


sk id = {d 0 , di) = (g% ■ F{id) r , g r ) = ' (*■ - ' S r )- 


The protocol BlindExtract {V{params,msk),U{params,id)) is described in Fig- 
ure □ with the following alterations. Parse the identity as id = {a\ , . . . ,a n ), 
where each a* is i bits. In line 2, compute h! as g v ■ rij=i h ne 3, execute 

the proof PoK{(y, ax, ... , a„) : b! = g v ■ fl" = x A 0 < a, < 2 e , for * = 1 to n}. 
The range part of this proof ( e.g ., 0 < a, < 2 i ) can be performed exactly 
or, by shortening each a, by a few bits, can be done at almost no additional 
cost jl 611 1181 . Follow the rest of the protocol as is. Let FI 2 be the blind IBE 
that combines Setup, Encrypt, Decrypt with the BlindExtract protocol described 
above. 

Theorem 2. Under the DBDH assumption, blind IBE II 2 is secure (according 
to Definitional; i.e.. BlindExtract is both leak-free and selective-failure blind. 

A proof of Theorem |21 is presented in the full version of this paper El- 
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3.2 On Other IBEs and HIBEs 

Let us briefly summarize what we know about efficient Blind Extract protocols for 
other IBE schemes and hierarchical IBE (HIBE) schemes. First, random oracle 
based IBEs jbYi'Z] appear to be less suited to developing efficient BlindExtract 
protocols than their standard model successors. This is in part due to the fact 
that the identity string is hashed into an element in G in these schemes, instead 
of represented as an integer exponent, which makes our proof of knowledge tech- 
niques unwieldy. We were not able to find BlindExtract protocols for the Boneh 
and Franklin j2| , Cocks m , or the recent Boneh-Gentry-Hamburg [Jj IBEs with 
running time better than 0 (\ 1 \), where 1 is the identity space. Additionally, we 
did not consider the efficient IBE of Gentry 123 > as our focus was on schemes 
with static complexity assumptions. 

We additionally considered hierarchical IBE schemes, such as those due to 
Boneh and Boyen | 3 |, Waters M and Chatterjee and Sarkar P2J . For all of these 
HIBEs, the number of elements comprising an identity secret key grow with the 
depth of the hierarchy, but each piece is similar in format to the original keys 
and our same techniques would apply. 


3.3 Additional Properties for a Blind IBE 

In 0 we use blind IBE as a tool for constructing oblivious transfer protocols. 
We can use either of the efficient blind IBEs Ify and 17-2 defined above together 
with the following observations about efficient protocols relating to them. 

First, in our OT constructions, we require an efficient zero-knowledge proof of 
knowledge protocol for the statement PoK{(msk ) : ( params,msk ) G Setup(l re , 
c(k))}. If efficiency were not critical, we could accomplish this proof using general 
techniques j4bl‘2SI32] . However, for the parameters used in II\, Zfy, this proof can 
be conducted efficiently in a number of ways; one technique is to set msk = a and 
conduct the equivalent PoK{(a) : gi = <g a } using a standard Schnorr proof f£2j . 

The second property that we require is more subtle. Note that in the schemes 
III and II2, there are many valid decryption keys for each identity. This may 
lead to a condition where some incorrectly-formed ciphertexts decrypt differently 
depending on which secret key is used. This can cause problems with the proofs 
of full-simulation security for our OT protocols (specifically, we may not be able 
to show Receiver security.) To address this condition in our OT protocols, we 
require that Ify and II 2 possess a property similar to committing encryption D3- 
Intuitively, this property ensures that for a ciphertext and identity ( C,id ): (1) 
running the honest decryption algorithm on C with respect to any valid secret 
key for identity id will result in the same unique value, or (2) if this is not so, 
then this fact can be publicly identified. 

Let us define a public ciphertext validity check algorithm, which we denote 
by IsValid (params,id,C). In the case of blind IBE schemes ify and II2, we 
implement this algorithm by first checking the group parameters 7 are valid 
(see EDI), and verifying that for any params and C = (X. Y. Z), all the values 
are in the correct groups and e(Y, F(id)) = e(Z, g). The correctness property for 
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the IsValid algorithm is that it outputs 1 for all honestly-generated parameters 
and ciphertexts. From the description of ill and II?, it is easy to see that IsValid 
is correct. The algorithm’s behavior in the case of maliciously-generated input 
is constrained insofar as it affects the following definition: 

Definition 5 (Committing IBE). An IBE scheme (resp., blind IBE) II is 
committing if and only if: (1) it is I N D-s I D- CPA -secure (resp., secure in the 
sense of definition and (2) every p.p.t. adversary A has an advantage negligi- 
ble in k for the following game: First, A outputs params , id e X and a ciphertext 
C. If \s\/a\i6(params,id,C) ^ 1 then abort. Otherwise, the challenger, on in- 
put (params, id), runs the Extract (resp., Blind Extract,) protocol with A twice to 
obtain purported keys skid, sk' id . A’s advantage is defined as: 

|Pr [Decrypt (params, id, skid, C) ^ Decrypt(pararas, id, sk' id , (7)] | 

In the full version of this work we prove that both Ux and II 2 are committing 

blind IBE schemes in the sense of definition 0 

4 Simulatable Oblivious Transfer 

We now turn our attention to constructing efficient and fully-simulatable obliv- 
ious transfer protocols. We’ll use any of the efficient blind IBEs presented in 
the previous section as a building block. In particular, we focus on building 
(non-adaptive) 0T) V and (adaptive) 0T^ xl protocols, in which a Sender and 
Receiver transfer up to k messages out of an iV-message set. In the non-adaptive 
model jlUldbj , the Receiver requests all k messages simultaneously. In the adap- 
tive model ESI, the Receiver may request the messages one at a time, using 
the result of previous transfers to inform successive requests. Intuitively, the 
Receiver should learn only the messages it requests (and nothing about the re- 
maining messages), while the Sender should gain no information about which 
messages the Receiver selected. 

Full-simulation vs. half-simulation security. Security for oblivious transfer 
is defined via simulation. Informally, a protocol is secure if, for every real-world 
cheating Sender (resp., Receiver) we can describe an ideal-world counterpart 
who gains as much information from the ideal-world interaction as from the real 
protocol. Much of the oblivious transfer literature uses the simulation-based def- 
inition only to show Sender security, choosing to define Receiver security by a 
simpler game-based definition. Naor and Pinkas demonstrated that this weaker 
“half-simulation” approach permits selective-failure attacks, in which a malicious 
Sender induces transfer failures that are dependent on the message that the Re- 
ceiver requests jSSj- Recently, Camenisch et al. D3 proposed several practical 
OT^x! protocols that are secure under a “full-simulation” definition, using adap- 
tive (e.g., g-PDDH) or interactive (e.g., one-more-inversion RSA) assumptions. 
We now enhance their results by demonstrating efficient full-simulation OTj^ 
and OT - l protocols secure under static complexity assumptions (e.g., DBDH). 
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4.1 Definitions 

Recall the definitions for both the non-adaptive and adaptive protocols. For 
consistency with earlier work, we use the notation from Camenisch et al. H2I 

Definition 6 (fc-out-of-iV Oblivious Transfer (OT^, 0T^ xl )). An oblivious 
transfer scheme is a tuple of algorithms (Si, R|, Sj, Rt)- During the initialization 
phase, the Sender and the Receiver run an interactive protocol, where the Sender 
runs Mjv) to obtain state value Sq, and the Receiver runs R|() to 

obtain state value J?o- Next, during the transfer phase, the Sender and Receiver 
interactively execute Sj, Rt. respectively, k times as described below. 

Adaptive OT. In the adaptive OT l case, for 1 < i < k, the i th transfer proceeds 
as follows: the Sender runs Sx(Si-i) to obtain state value Si, and the Receiver 
runs Rx(Rj-i, cTj) where 1 < (?% < N is the index of the message to be received. 
This produces state information Ri and the message M' a . or _L indicating failure. 

Non-adaptive OT. In the non-adaptive OT £ case the parties execute the protocol 
as above; however, for round i < k the algorithm Rx(i2i-i, <7*) does not output 
a message. At the end of the the k th transfer Rj(Rk-i, cr*,) outputs the messages 
. . . , M ' ak ) where for j = 1 , . . . , i\T each M' a . is a valid message or the 
symbol _L indicating protocol failure. (In a non-adaptive scheme, the k transfers 
do not necessarily require a corresponding number of communication rounds). 

Definition 7 (Full Simulation Security). Security for oblivious transfer is 
defined according to a simulation-based definition. 

Real experiment. In experiment Realg $(N, k, Mi, . . . , Mjv, E) the possibly 
cheating sender S is given messages (Mi, . . . ,Mjv) as input and interacts with 
possibly cheating receiver R(A7), where E is a selection algorithm that on in- 
put messages (M CTl , . . . ,M (7i _ 1 ) outputs the index <7j of the next message to be 
queried. At the beginning of the experiment, both S and R output initial states 
(So,Ro). In the adaptive case, for 1 <i < k the sender computes Si <— S(6 , ,_i), 
and the receiver computes ( R%,M [ ) R(i?j_i), where M( may or may not be 

equal to Mi. In the non-adaptive case, the Receiver obtains no messages until 
the k th round, and therefore the selection strategy E must be non-adaptive. At 
the end of the k th transfer the output of the experiment is ( Sk , Rk )• 

Ideal experiment. In experiment Idealg, ^,(N, k, Mi, . . . , Mjy, E) the possibly 
cheating sender algorithm S' generates messages (Mf ,... , M^) and transmits 
them to a trusted party T. In the i th round S' sends a bit bi to T; the possibly 
cheating receiver R'^) transmits a* to T. In the adaptive case, if bi = 1 and 
a* € (1, . . . , iV) then T hands M ai * to R'. If bi = 0 then T hands i. to R'. 
Note that in the non-adaptive case, T does not give R' any response until the k th 
round. At the end of the k th transfer the output of the experiment is ( Sk,Rk )• 
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Sender Security. 0T^ xl provides Sender security if for every real-world p.p.t. 
receiver R there exists a p.p.t. ideal-world receiver R' such that \/N = l(n), 
k £ [1,N], (Mi, . . . ,Mjf), S, and every p.p.t. distinguisher: 

Real sk (N, k,M u ..., M N , S) » Ideal s , k ,(N, k, Mi, ... , M N , S). 

Receiver Security. OT }f x x provides Receiver security if for every real-world 
p.p.t. sender S there exists a p.p.t. ideal-world sender S' such that VN = l(n), 
k £ [1,JV], (Mi, . . . ,Mjf), S, and every p.p.t. distinguisher: 

Real gR (iV, k,Mi,..., M N , S) w Ideal g/ R ,(iV, k, Mi, ... , M N , S). 


4.2 Constructions 

Non-adaptive OT^ without Random Oracles. Given a committing blind 
IBE scheme II, it is tempting to consider the following “intuitive” protocol: First, 
the Sender runs the IBE Setup algorithm and sends params to the Receiver. 
Next, for i = 1 ,... ,N the Sender transmits an encryption of message M* under 
identity “i”. To obtain k messages, the Receiver extracts decryption keys for 
identities (cri, . . . , at) via k distinct executions of Blind Extract, and uses these 
keys to decrypt the corresponding ciphertexts. If II is a blind IBE secure in 
the sense of definition 01 then a cheating Receiver gains no information about 
the messages corresponding to secret keys he did not extract. Similarly, with 
additional precautions, a cheating Sender does not learn the identities extracted. 
However, it seems difficult to show this protocol is fully-simulatable, because the 
ideal Sender would have to form the N ciphertexts before learning the messages 
that k of them must decrypt to! 

Fortunately, we are able to convert this simple idea into the fully-simulatable 
OT ff protocol shown in Figure 0 We require only the following modifications: 
first, we have the Sender prove knowledge of the value msk using appropri- 
ate zero-knowledge techniques^ Then, rather than transmitting the ciphertext 
vector during the first phase of the protocol, the Sender transmits only a com- 
mitment to a collision-resistant hash of the ciphertext vector, and sends the 
actual ciphertexts at the end of the k th round together with a proof that she 
can open the commitment to the hash of the ciphertexts. (She does not open the 
commitment; she only proves that she knows how to do so.) 

Theorem 3 (Full-simulation Security of the OT^ Scheme). If blind 
IBE II £ {IIi,n 2 } with the IsValid as defined in 47. .4 and (CSetup, Commit, 
Decommit) is a secure commitment scheme, then the OT ff protocol of figure^ is 
sender-secure and receiver-secure in the full-simulation model under DBDH. 

We include a proof of Theorem C3 in the full version PD| ■ 

Adaptive OT^j in the Random Oracle Model. While our first protocol 
is efficient and full-simulation secure, it permits only non-adaptive queries. For 

1 In H3.3I we describe how to conduct these proofs efficiently for the practical blind 
IBE constructions we consider. 
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Si(Mi, . . . , Mjy), S T () Ri(),R T (gi,...,gfc) 

Sender and Receiver agree on parameters for a commitment scheme and 
a collision-resistant hash function H. a 

1. Generate ( params,msk ) <— Setup(l re , c(k)). 

2. For j = 1, . . . ,N, set Cj <— Encrypt (params,j, Mfi). 

3. Compute ( C,T> ) <— Commit ( H(Ci , . . . , Cjv))- 

4. Send ( params,C ) to Receiver. 

5. Conduct PoK{(msk) : ( params,msk ) € Setup(l re , c(k))}. 

6. If the proof does not verify, abort. 

For i = l, ..., k. run BlindExtract on identity a,. for Receiver to obtain sk ai . 
Following the k th extraction: 

1. Send the ciphertexts (Ci, . . . , Cn) to the Receiver. 

2. Conduct PoK{(V ) : Decommit ( H{C \ , . . . , Cn),C,V ) = 1}. 

3. If the proof does not verify, or for any i 
IsValid (params,i,Ci) ^ 1, abort and set 

4. For * = 1 to k: If BlindExtract on at failed, 
set M' ai <— _L; else, set M' ai to the value 
Decrypt(porams, ai, sk ai , C ai ). 

Output Sk Output Rk, , . . . , M' ak ). 

a In the case of Pedersen’s commitment scheme, the parameters may be generated 
by the Receiver. H may also be selected by the Receiver. 


Fig. 2. OT^ from any of the committing blind IBEs in 0 with input messagi 
Mi, . . . , Mjv € M. We present the Si, Ri, St, Rt algorithms in a single protocol flow. 


many practical applications ( e.g oblivious retrieval from a large database), we 
desire a protocol that supports an adaptive query pattern. We approach this 
goal by first proposing an efficient 0T^ xl protocol secure in the random ora- 
cle model. The protocol, which we present in Figure 01 requires an IBE scheme 
with a super-polynomial message space (as in the constructions of 4:>. Ill , and 
has approximately the same efficiency as the construction with random oracles 
of Camenisch et al. nz,. However, their construction requires unique blind sig- 
natures and the two known options due to Chaum |U4 and Boldyreva |2| both 
require interactive complexity assumptions. By using the blind IBE schemes in 
H3.ll our protocols can be based on the DBDH assumption. 

Theorem 4 (Full-simulation Security of the OT^ x] Scheme). If blind IBE 
II £ {III, II 2 } with the IsValid as defined in 4.V..4 and H is modeled as a random 
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Si (Mi, .... Mjv) 

RiO 

1. Select ( params , msk) 

<— Setup(l re , c(k)). 

2. Select random Wi, . . 

, Wn € M, and for j = 1, . . . , N set: 

— Aj *— Encrypt (param 

— B ;j <- H(Wj) © Mj 

— Cj = (Aj, Bj) 

hj,W 3 ) 

3. Conduct PoK{(msk ) 

: (params, msk) e Setup(l re , c(/t))}. 

4. Send ( params , C\, . . . 

Cjv) to Receiver. 

5. If the proof fails to verify or for any i 
IsValid (params, i,Ci) ^ 1, abort and 
set M'„ x , M'„ k 

Output So = ( params , msk) Output Ro = ( params , Ci, . . . , Cn) 



In the i th transfer, rur 

i BlindExtract on identity o, for Receiver to obtain sk a , : . 

1. If BlindExtract fails, then set M' ai to X. 

2. Else set t <— Decrypt(porams, Oi, sk ai , A ai ) 
and set M' a . ^ B„ t ® H (t). 

Output Si = Si-i 

Output Ri = (Ri-i,M' C7i ). 


Fig. 3. Adaptive OTj^i from any of the committing blind IBEs in ; 0 with 
Mi, . . . , Mn e {0, 1}". Let hash H : M. — > {0, 1}" be modeled as a random oracle. 


oracle, then the OT j protocol of figure 0 is sender-secure and receiver-secure 
in the full- simulation model under DBDH. 

We include a proof of Theorem 0 in the full version |30| ■ 

Adaptive OT^j without Random Oracles. The random-oracle OT^ xl 
presented above is reasonably efficient both in terms of communication cost and 
round-efficiency. Ideally, we would like to construct a protocol of comparable 
efficiency in the standard model. We could construct an OT^ xl protocol by 
compiling k instances of the non-adaptive OT % from Tl.21 Each protocol round 
would consist of a 1-out-of-iV instance of the protocol, with new IBE parameters 
and new a vector of ciphertexts (Ci, . . . , Cjv). To ensure that each round is 
consistent with the previous rounds, the Sender would need to prove that the 
underlying plaintexts remain the same from round to round. This can be achieved 
using standard proof techniques, but is impractical for large values of k or N. 

Alternatively, we could combine our scheme with the standard model OT x of 
Camenisch et al. d- Their efficient OT^ xl , for example, incurs only a constant 
cost per transfer phase. However, the protocol relies on the dynamic (/-Strong 
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DH and g-Power Decisional DH assumptions, where large values of q require 
larger than normal security parameters EH Fortunately, one might be able to 
keep q small (on the order of k rather than N) by combining the Camenisch 
et al. scheme with ours as follows: in their initialization, the Sender releases N 
values corresponding to the messages that require q = N. Instead, we could use 
a blind IBE scheme to encrypt these N values during initialization, and then 
during the adaptive transfer phase, a Receiver could request the decryption key 
of his choice along with the information required in the Camenisch et al. scheme. 
Thus, reducing the values available to an adversary to q = k. 

5 Other Applications of Blind IBE 

Privacy-preserving delegated keyword search. Several works use IBE as a 
building-block for public-key searchable encryption )5l45j . These schemes permit 
a keyholder to delegate search capability to other parties. For example, Waters 
et al. m describe a searchable encrypted audit log in which a third party audi- 
tor is granted the ability to independently search the encrypted log for specific 
keywords. To enable this function, a central authority generates “trapdoors” for 
the keywords that the auditor wishes to search on. In this scenario, the trapdoor 
generation authority necessarily learns each of the search terms. This may be 
problematic in circumstances where the pattern of trapdoor requests reveals sen- 
sitive information ( e.g ., the name of a user under suspicion). By using blind and 
partially-blind IBE, we permit the authority to generate trapdoors, yet learn no 
information (or only partial information) about the search terms 0 

Blind and partially-blind signature schemes. Moni Naor observed that 
each adaptive-identity secure IBE implies an existentially unforgeable signature 
scheme jO] . By the same token, an adaptive- identity secure blind IBE scheme im- 
plies an unforgeable, selective-failure blind signature scheme. This result applies 
to the adaptive-identity secure 77 2 protocol of frill and to the selective-identity 
secure protocol I7i when that scheme is instantiated with appropriately-sized 
parameters and a hash function (see §7 of m ■ The efficient BlindExtract proto- 
col for the adaptive-identity secure i7 2 scheme can also be used to construct a 
partially-blind signature, by allowing the signer (the master authority) to supply 
a portion of the input string. Partially-blind signatures have many applications, 
such as document timestamping and electronic cash Em- 

Temporary anonymous identities. In a typical IBE, the master authority 
can link users to identities. For some applications, users may wish to remain 
anonymous or pseudonymous. By employing (partially-)blind IBE, an author- 
ity can grant temporary credentials without linking identities to users or even 
learning which identities are in use. 

2 Boneh et al. |S1 note that keyword search schemes can be constructed from any key 
anonymous IBE scheme. While the schemes of are not key anonymous, Boyen 
and Waters remark that key anonymity in similar schemes might be acheived by 
implementing them in asymmetric bilinear groups [2] . 
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Abstract. We develop a new multi-party generalization of Naor-Nissim indi- 
rect indexing, making it possible for many participants to simulate a RAM ma- 
chine with only poly-logarithmic blow-up. Our most efficient instantiation (built 
from length-flexible additively homomorphic public key encryption) improves 
the communication complexity of secure multi-party computation for a number 
of problems in the literature. Underlying our approach is a new multi-party vari- 
ant of oblivious transfer which may be of independent interest. 

Keywords: communication complexity, oblivious RAM machine, privacy- 
preserving protocols, secure multiparty computation. 

1 Introduction 

Naor-Nissim indirect indexing El allows two parties to privately access an array at 
a shared index. We develop a multiparty generalization of Naor-Nissim indirect index- 
ing, and show that our methods have many cryptographic applications. For example, we 
can transform any non-private multiparty protocol into a private one, in a manner that 
preserves its communication efficiency. Further, we can construct a multiparty general- 
ization of Naor-Nissim circuits with look-up tables El, enabling any number of par- 
ties to privately and obliviously simulate a RAM machine with only polylogarithmic 
overhead. The tools we build also yield automatic generalizations and efficiency im- 
provements for several other protocols, including those for secure distributed constraint 
satisfaction IB 418513 and private stable matching II 1 81 1 1 I I . 

Underlying our techniques is a useful multiparty generalization of oblivious transfer 
(mOT), which may be of independent interest. In mOT, the role of the chooser is divided 
among many participants, each of whom holds a share of an input and receives a share 
of the output. We define this primitive and its related security notions, and provide two 
main constructions. Our first construction is generic, and can be built from black-box 
access to any ordinary two-party oblivious transfer. Our second construction is highly 
efficient and uses length-flexible additively homomorphic public key encryption JE0. 

The paper is organized as follows. In Section El we define our multiparty gener- 
alization of Naor-Nissim indirect indexing. In Section 0 we show how this tool yields 
multiparty generalizations of existing protocols and efficiency improvements in existent 
multiparty protocols. In Section^ we reduce the construction of multiparty indirect in- 
dexing to that of a simpler protocol, which can be seen as a multiparty variant of the 
well-known oblivious transfer primitive. In Sectional we provide an efficient construc- 
tion for this new protocol. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 283-1222] 2007. 

© International Association for Cryptology Research 2007 
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1.1 Background and Related Work 

General secure multiparty computation ( e.g ., see 11141151 1 can be used to privately im- 
plement the functions of interest in our paper, though rather inefficiently. Particularly, 
the communication complexity of such a construction for our mOT function would be 
linear in the size of the database. We are most interested in protocols with sublinear 
communication complexity. 

Ostrovsky and Shoup ED design communication-efficient protocols for the case 
where the database is shared between k servers and the index to be accessed is held by 
a single chooser. Only the chooser will learn the element in this position. Our setting 
is more general, as the index and final output cannot be learned by any one party, and 
are instead shared. As a result, our protocols automatically give new constructions for 
the problem considered by Ostrovsky and Shoup. Their goal, however, is information- 
theoretic security, while we work in the computational setting. 

Naor and Pinkas m introduce distributed oblivious transfer which distributes the 
task of the database among multiple servers to compute the standard oblivious transfer 
functionality. Unconditional security is guaranteed as long a limited number of these 
participants do not collude. Unlike our mLUT protocol, the database is not shared ex- 
plicitly between the servers. Instead, the database sends these servers a “transfer func- 
tion,” which allows each to compute a value related to the original database. From these 
values, the chooser can compute the original desired value in the database. 

Barkol and Ishai a design a communication-efficient secure multiparty protocol in 
which to parties share an input x, and all hold the same constant-depth circuit C. Parties 
then privately compute C( x) . Let x = a be an index shared between the parties and let 
circuit C hard-code elements of a database A and return the x'-th element as its output. 
Our construction is different in the sense that the database and the final output are not 
known to any single party and are shared instead. These are crucial properties that we 
need in order to securely implement multiparty circuits with look-up tables. 

Since its proposal by Rabin m, oblivious transfer has been a widely studied prim- 
itive and many variants, reductions, and applications have been considered. Even, Gol- 
dreich and Lempel ifTHl formalized l-out-of-2 OT as a generalization of Rabin’s OT. 
This was further generalized by Brassard, Crepeau and Robert 0 into 1-out-of-n OT, 
under the name “all-or-nothing disclosure of secrets.” We believe that the mOT primi- 
tive may be of independent interest. Goldreich and Vainish o and Killian EH show 
that OT is a complete primitive in the sense that two parties can compute any circuit 
securely using only blackbox access to OT. Goldreich IBI provides a nice presentation 
of the completeness of OT using a linear (in the circuit size) number of invocations of 
l-out-of-4 two-party OT. Our mOT primitive directly translates this result to the case 
of general multiparty computation in a straight-forward fashion, yielding a new proof 
of this result. It also leads to new proofs for other results in general secure multiparty 
computation such as, for example, given a secure two-party OT protocol, n parties can 
compute any function n-privately (e.g., see ifTHl ). given secure channels, n parties can 
compute any function t -privately (information theoretically) for t < n/2 (e.g., see 0), 
and similar results. 

In concurrent and independent work, Ishai et al. design an mOT protocol under 
the name “distributed OT.” Both our protocol and theirs involve the use of efficient 
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PIR protocols, though in different ways. Thus, our work gives new constructions for 
the results in their paper. Comparing our two tools, our database performs 0(n) work 
where theirs performs 0(n 2 ), where n is the size of the database. While both tools are 
comparable in terms of communication efficiency, theirs is only efficient in this sense 
under some limitations on the number of parties to, since the size of the messages 
passed in their scheme is linear in m. The length of the messages passed in our protocol 
is independent of the number of parties, and thus we impose no limit on the number 
of parties involved in our protocols. Additionally, our protocol has a logarithmic (in 
n ) round complexity, while theirs has a linear (in m) round complexity (the database’s 
response is a log n-iterated encryption in the former, and an m — 1 -iterated encryption 
in the later). 

1.2 Definitions and Notation 

We use the following definitions and notations. 

Notation 1. We denote the negation of bit b by ~<b. 

Definition 2 (i-privacy). A protocol is t-private if any set of at most t participants 
cannot compute after the protocol more then they could jointly compute solely from 
their set of private inputs and outputs. 

Notation 3 (Asymptotic notation). We use the following asymptotic notation: o(f) de- 
notes that the asymptotic upper bound f is not tight; Ti(f) denotes that the asymptotic 
lower bound f is tight; and 0(f) denotes the asymptotic upper bound 0(f), ignoring 
polylog (f) factors. 

Notation 4 (Share notation). We let ([<S]i, [<?] 2 , . . . , [0] m ) be the collection of the 
shares of 6 split among m parties via some secret-sharing scheme, so that player i 
holds the share [<5] j. When the subscript can be determined from context, we abuse no- 
tation and omit the subcript for ease of exposition; thus, we may denote the share of 
player i as, simply, [5], 

2 Secure Multiparty Computation with Look-Up Tables 

Naor and Nissim lETll define and give a secure two-party protocol for circuits with 
look-up tables. In the computational model of circuits with look-up tables, gates of a 
circuit are represented by look-up tables (LUT). The LUT input wires define the table 
entries and an index, and the LUT output wires are set according to the value stored 
in the indexed position. The protocol for private LUT serves as a building block in 
a protocol for privately evaluating circuits with LUT (a variant of the garbled circuit 
transformation). Here, we extend the definition of the look-up table primitive to the 
multiparty case. 

Definition 5 (Multiparty LUT). In a multiparty LUT (mLUT) protocol, all the parties 
are both a chooser and a database holder. Each party i holds a share of the database A, 
and a share of the index o. At the end of the protocol, each party learns a share of 6 „, 
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the element at position o in database A. Let A = (<5q, • ■ • , Let party i’s share 

of 6 be denoted by [£]*. Then, the mLUT protocol can be summarized by the following 
protocol 17. 

n([A} u [oU [A] 2 , [*U . . . ; [A] m , M m ) - {[^fe [$„] 2 ; . . . ; [Mm) 

Definition 6 (Private mLUT). We call a mLUT protocol t-private if no coalition of up 
to t parties can learn any information about o or any of the elements in A. 

Circuits with LUT amount to performing computations with tables as follows. (1) Read 
operations: The table values as well as the index specifying the location of the read 
item are either preset or the result of an intermediate computation. In particular, it is 
possible to perform any kind of indirect read. (2) Write operations: The value written 
to the table may be the result of an intermediate operation but the location should be 
predetermined. In other words, no indirect writes are allowed. 

It follows that any computation on a RAM machine where write operations are obliv- 
ious, in the sense that the time and location of the write operations should not depend 
on the input and randomness, may be emulated by circuits with LUT. 

Results of Pippenger and Ficher E2 imply that when considering circuits vs. Tur- 
ing Machines there is no significant advantage to the latter since there exists a series of 
circuits of size comparable to the running time of the Turing Machine. Currently it is 
not known whether a similar result applies to circuits vs. RAM machines. Particularly, 
there is a potential gap between the two, i.e. a computation on a RAM machine may be 
much more efficient than any circuit family. But for circuits with LUT this gap is closed. 
Particularly, note that for any write-oblivious RAM machine M running in time T(n), 
there exists a family of circuits with LUT of size T(n) computing fu- Now, all one 
needs to show is an efficient simulation of any RAM machine using a write-oblivious 
RAM machine. Such a simulation exists, with polylogarithmic blow-up 111 61241 . Specif- 
ically, for any RAM machine M running in time T(n) using space S(n), there exist a 
series of circuits with LUT of size T(n)polylog(,S'(n)) computing /m- 

3 Applications 

Although we have not yet provided a private protocol for multiparty LUT (mLUT), 
we show how such a protocol leads to immediate efficiency improvements for several 
privacy-preserving protocols in the literature and efficient multiparty generalizations of 
existing two-party protocols. 

We note that by replacing the two-party private LUT of Naor and Nissim 123ll with 
a private construction of mLUT, we generalize all the constructions given in that paper 
to the multiparty case. In Appendix A of the full version of this paper IH1 . we present 
a multiparty generalization of the communication complexity model and a transforma- 
tion which makes any efficient, non-private protocol in this model into an efficient, 
private protocol with the same functionality. Also, a private mLUT protocol automat- 
ically yields the ability to simulate, as a multiparty computation, a private oblivious 
RAM machine with only a polylog (in size of the RAM) blowup in communication 
between the parties. 
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Furthermore, we believe our mLUT protocol to be useful in a variety of existing ap- 
plications, such as private multiparty sampling protocols IPTOI . distributing the function 
of an “auction issuer” in Naor-Pinkas- Sumner style auctions 171 . private approxima- 
tion protocols, and any setting where a global decision is privately computed using ac- 
cess to some of the inputs of several parties. In the remainder of this section, we discuss 
applying our tools to two such domains: protocols for distributed constraint satisfaction 
problems, and protocols for the stable matching problem. 

3.1 Private DisCSPs 

Distributed constraint satisfaction problems (DisCSPs) are composed of agents holding 
local variables, and a constraint network that restricts the legal assignments to agents’ 
variables. A solution to a DisCSP is an assignment to variables that is in agreement 
with all the constraints ( 13 M3 (il l . To achieve this goal, agents run a protocol where they 
check assignments to their and other agents’ variables for consistency. Distributed CSPs 
are an elegant model for many every day combinatorial problems that are distributed 
by nature, such as meeting scheduling 111 31231 in which agents attempt to schedule 
meetings according to their constrained personal schedule. 

Nissim and Zivan lED design new secure protocols for DisCSPs based on advanced 
search heuristics. The first protocol they design is a centralized protocol, where two 
of the agents collect “encrypted” data from all other parties, and obliviously perform a 
search algorithm. Their centralized algorithm avoids information leakage to all agents, 
their second protocol makes the first step toward a feasible distributed secured protocol 
for solving DisCSPs. They construct a network, whose nodes are small groups (e.g. 
pairs) of agents, from the original DisCSPs. Each node group obliviously performs 
the roles of all its members in the search algorithm. This protocol has the following 
disadvantages (1) it is not fully distributed and a small collusion of agents could learn 
information about the other participants’ private inputs. (2) As mentioned in the paper, 
the protocol is not perfectly secure, i.e. the communication pattern in the protocol leaks 
information about the agents’ private inputs. 

Using our private construction for multiparty computation of circuits with LUT, we 
can securely extend the centralized protocol given in section 5 of ED to a fully dis- 
tributed one without adding any overhead in the communication or computation of their 
protocol. More specifically, the agents will collectively share the private data and obliv- 
iously perform the search algorithm. This leads to the first fully distributed and com- 
pletely secure protocol for DisCSPs. For completeness, we include a brief description 
of our construction in Appendix B of the full version of this paper II 1211 . 

3.2 Private Stable Matching 

Golle iTTSI initiated the study of privacy-preserving protocols for stable matching, 
arguing persuasively that such protocols could have great practical benefit. In Golle’s 
framework, m “matching authorities” receive the encrypted preference lists from the 
participants and then perform a secure multiparty computation to return the stable 
matching to the participants. Franklin et al. DU revisit Golle’s work and design sub- 
stantially more efficient protocols for private stable matching in this framework. 
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Naor, Pinkas, and Sumner m observe, in considering this problem as a possible 
domain for their paper’s techniques, that the algorithm for solving the stable matching 
problem requires the power of indirect addressing of a RAM and, thus, its translation 
into a circuit is rather inefficient. Indeed, the stable matching algorithm of 
Franklin et al. inn can be efficiently implemented as a circuit of size 0(n 2 ) with access 
to a RAM. More specifically, one can implement their algorithm in, Section 5] in the 
multiparty setting 1 by implementing their array/matrix accesses using our mLUT pro- 
tocol. In this way, we extend this (very efficient) construction of theirs from two-party 
to multiparty, yielding a protocol in the same framework as Golle and Franklin et al., 
but a factor of n more efficient than previous private stable matching protocols. The 
following table compares our results with those of the previous work. 


Protocol 

Total 

Work 

Total 

Communication 

Round 

Complexity 

Golle d 

0{n 5 ) 

0(mn 5 ) 

d(n 3 ) 

Franklin et al. ifTTi 

O(nVlogn) 

0(mn 3 ) 

0(n 2 ) 

Ours 

0(n 4 ) 

0(mn 2 ) 

0(n 2 ) 


4 Protocols for Private mLUT 

In this section, we reduce the problem of constructing a protocol for private mLUT 
to a subproblem we call “generalized multiparty oblivious transfer.” First we define 
this subproblem, and then we show our construction for mLUT. Later, we define a 
related protocol we call “multiparty oblivious transfer” and draw connections between 
this new primitive and general multiparty computation. Finally, in Sectional we give 
a construction for an efficient, private g-mOT protocol, completing our private mLUT 
construction. 

4.1 A Construction for Private mLUT 

Our construction for the private mLUT protocol invokes a protocol called general- 
ized multiparty oblivious transfer (g-mOT) for each share of the database. Parties 
get their shares of the output for each run of the g-mOT protocol and combine their 
shares in the appropriate way to compute shares of the indexed position in the origi- 
nal database A. We define generalized mOT below, and then describe this protocol in 
more detail. 

Definition 7 (Generalized multiparty oblivious transfer). Generalized multiparty 
oblivious transfer (g-mOT) is a protocol involving m parties where: at the beginning of 
the protocol, each party holds a share of a secret index a and one distinguished party 
holds a table of n bits, the database A = (<5o, ■ • • , 8 n - i); tit the end of the protocol, 

1 Franklin et al. generalize this two-party protocol to the multiparty case, but the resulting pro- 

tocol is only secure in a new security model where one considers collections of pairs of match- 

ing authorities, where each pair is honest-majority. Our generalization is secure in the standard 

passive adversary security model where up to a certain threshold of players may be corrupted. 
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each party holds a share of the database element b„. In the terminology of oblivious 
transfer, every party is a chooser and one party is also the database. The protocol II 
for (")-g-mOT (m, t) can be summarized as: 

We give a full security description of g-mOT later but, for our mLUT construction, 
we only require that this protocol be t-private. 

For simplicity, we assume that the outputs and database are shared using XOR sharing 
in the construction below. Any other sharing scheme would work fine, however, as the 
overhead for switching between different sharing methods does not effect the overall 
complexity of our protocols. Again, let m be the number of parties participating in the 
protocol. Let chooser i hold A = where ©A = A The protocol is outlined 
below. 

Inputs: Each party holds a share of the database A = (6q, . . . , 8 n - 1) and a 
share of the index a. 

Output: Each party holds a share of 8 a . 

- For i = 1 to m: 

• Parties run 

g-mOT(A, M; H; [a ]-, . . . ; M) - ([£]; [£]; . . . ; [<£]). 

- Participant i locally computes a share of b„ as [b„\ = ® . 

Claim. The complete protocol is a t-private multiparty LUT. The protocol has 
0(fc^log 2 npoly(ra)) communication complexity and O(logn) round complexity, 
where k is a security parameter, m is the total number of parties, and the database 
is composed of n strings of bit-length l. 

Proof (Sketch). Our mLUT protocol uses m invocations of a generalized mOT protocol. 
Thus, the communication complexity of our mLUT construction is simply m times 
that of the g-mOT protocol from Section 15.21 Since we can run the generalized mOT 
protocols in parallel, the round complexity of the mLUT protocol remains the same as 
that of the g-mOT protocol. The ©privacy of the mLUT protocol follows from general 
composition theorems I5IT5I and the ©privacy of our g-mOT protocol. 

4.2 Multiparty Oblivious Transfer 

Before we give a construction for an efficient t-private generalized multiparty oblivious 
transfer protocol, we explore a related protocol we call multiparty oblivious transfer. We 
also give a detailed security definition for these protocols, as there may be interesting 
applications that require something stronger than t-privacy. 

Multiparty oblivious transfer (mOT) is a protocol involving in' + 1 parties: m' 
choosers and a database. Each chooser holds a share of a secret index a £ [0, n— 1] . The 
database holds a table 2 of n bits, A = (<S 0 , . . . , 6 n - 1). At the end of the protocol, each 

2 In Section I5!21 we consider a generalization of this definition, where the database is a table of 
n strings, each of length I. 
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chooser holds a share of the database element 6 a . The protocol 17 for (") -mOT (m 1 , £ ) 
can be summarized as follows: 

[<r] i; . . . ; [er] m /) — > (0; &W) 

We consider mOT for its simplicity and because, in many scenarios, g-mOT reduces 
to mOT. For example, by letting m = m' + 1 it is clear that, when the inputs and outputs 
are XOR shares, there is a simple reduction of g-mOT to mOT. More specifically, the 
database in the g-mOT protocol can compute the database A' by permuting A according 
to xo (his share of the secret index) and blinding each entry by a random yo (his share of 
the output). Considering XOR shares, then, generalized mOT reduces to an invocation 
of the following mOT protocol 77 . 


II(A';x i,. . .;x m ') -► ( 0 ; yi; . . where = a and (J)?/* = 6 a 
2=0 2=0 

Definition 8 (Secure mOT). Following Naor and Pinkas rt25l/ . we give a detailed, four- 
parameter security definition for this new variant of oblivious transfer. We relate this 
definition to the more common and intuitive security notion of t-privacy. We say the 
mOT protocol is (£1, £2, £3, tf)-secure if, when all the participants follow their steps 
properly (i.e., considering a passive adversary), the following properties are met: 

input G -privacy: no coalition of up to £1 choosers should be able to learn any 
information about o. 

output £2 -privacy: no coalition of up to £2 choosers should be able to learn any 
information about b„. 

chooser £3 -privacy: the database should not be able to learn any information about 
0 , even when colluding with up to £3 other participants. 

database £4 -privacy: no coalition of up to £4 non-database players should be able 
to learn any information about 6j for j a. 

We could easily create information theoretic and computational variants of this defini- 
tion by specifying the power of the adversary accordingly. 

Remark 1 . The following are automatic consequences. 

- (£i , £2 , £3 , £4) -security implies min(£i , £ 2 , £3 + 1 , £4) -privacy. 

- It is necessary that £3 < min(£i , £2) . For g-mOT this becomes strict, £3 <min(£i , £2) . 

- For g-mOT, since the database is a chooser, there is always a collusion of £3 + 1 
choosers who can learn cr, so £1 = £3 + 1. Furthermore, £1 = £2 because, for 
the database, learning o implies learning 6 a (and vice versa). Thus, for g-mOT, 
£-privacy implies (£, £, £ — 1, £4) -security, for some £4 > £. 

- If the players are computationally unbounded, it must be the case that ( m ' + 1)/2 > 
min(£i , £2 , £3 + 1 , £4) , or else we contradict known results for the privacy of uncon- 
ditionally secure multiparty computation. 
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5 Protocols for Private mOT and g-mOT 

In this section, we give two constructions for multiparty oblivious transfer. The first 
mOT construction uses blackbox access to two-party oblivious transfer, showing that 
mOT can be constructed under a variety of complexity assumptions. The second is 
a construction of g-mOT which we rely on for our earlier applications, as it is effi- 
cient in terms of communication complexity. We leave open the problem of finding a 
fully black-box transformation of two-party oblivious transfer into multiparty oblivious 
transfer with sublinear (in size of the database) blowup in communication complexity. 

5.1 A Generic Construction for l-Out-of-2 mOT 

Here, we describe a generic construction for a l-out-of-2 mOT protocol, using blackbox 
access to a two-party oblivious transfer protocol. For this construction, we consider 
the case where the secret a is shared among the m! choosers using XOR sharing. Let 
chooser i hold share b-i and (Dh = a. 


1. The database chooses 2m! bits, {(ro,rJ), (r^ ,rf ). . . . , (r™ , )} uni- 

formly at random, such that the bits satisfy the following condition: 



2. For all 1 < i < m' 

Chooser i and the database run a two-party oblivious transfer protocol, 
where the chooser’s private input is bi and the database’s private input 
is the two element “database” ( r q, r\). 

3. The output for chooser i is r£. which, according to the previous condition, 
is an XOR share of 6 = 8 a . 


It is clear that the values of the 2m! variables which satisfy the above condition are 
precisely the solutions to the following set of m! + 1 linear equations: 


{r\ — 8o®Si®r l 0 \ i < m'} , r™ — So © ^ r l 0 and r™ — £i © r\ 
i= 1 i=l 

In this form, it is easier to see that the database can find a random solution to the above 
system by simply choosing the values for variables {r l 0 i < to'} uniformly at random. 
The remaining values are uniquely defined. 

When the two-party oblivious transfer protocol is private, the above mOT protocol 
is ( to ' — 1) -private. This construction is essentially the same as that of Crepeau and 
Kilian @, though in a different context, and our proof of security follows directly from 
theirs. 

This l-out-of-2 mOT construction protocol can be turned into a 1-out-of-n mOT pro- 
tocol using a variant of the Brassard-Crepeau-Robert transform 0 which constructs 
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1-out-of-n oblivious transfer from (a linear number of invocations of) the l-out-of-2 
variant. While these constructions are not particularly efficient, they do demonstrate 
that mOT protocols can be constructed under a variety of standard cryptographic as- 
sumptions and in the information-theoretic case. For example, given secure channels, 
each two-party OT protocol can be replaced with the distributed OT (dOT) protocol of 
Naor and Pinkas G9l. Briefly, in a (r,m,£,t)- dOT protocol, the database sends mes- 
sages to m servers 3 and the chooser contacts r of the servers to reconstruct 8 a , where no 
coalition of less than t servers learns a and no coahtion of the chooser with less than t 
servers can compute more than can be jointly computed from these participant’s inputs 
and outputs. A straight-forward argument of Nikov et al. EH shows that a necessary 
and sufficient condition for dOT is r > t + i. Thus, our mOT protocol based on dOT 
will be r-private for r < min(l + 1, t). Since r < m, this condition implies our mOT 
protocol is r-private for r < (m + l)/2. 

Using this construction for mOT instead of OT in a proof of the completeness of OT 
such as Goldreich’s O §7.1.3 .3] yields new proof that (given secure channels) n par- 
ties can compute any function r-privately (information theoretically) for r < n/2. The 
original presentation of this result, due to Ben-Or, Goldwasser, and Wigderson 0, uses 
polynomial shares and requires a special, private polynomial degree-reduction tech- 
nique to handle the degree growth during the interactive multiplication steps. This new 
proof avoids such complicated machinery. In fact, using a basic proof of the complete- 
ness of mOT while building mOT out of different tools ( e.g secure channels, secure 
channels and one-way functions, two-party OT, etc) yields new proofs for a variety of 
interesting results in secure multiparty computation. 

5.2 A Construction for 1-Out-of-n, g-mOT 

In this section, we describe a generic construction of a 1-out-of-n generalized multi- 
party oblivious transfer protocol. At a high level, the construction can be viewed as a 
non-black-box transformation from a two-party private information retrieval (PIR) pro- 
tocol (see IB (Ml for a recent survey). First, the two-party PIR protocol is converted into 
a two-party OT protocol. The owners of the secret sharing scheme engage in a multi- 
party computation, f-privately transforming their shares of a into the messages fho 
that would be sent to the database during the two-party OT protocol. A single chooser 
and the database then engage in the message passing of the original PIR protocol. The 
received messages fhi are then used as inputs to another multiparty computation, t- 
privately converting these messages into shares of 8 a . In this construction, the sharing 
used for the inputs and outputs is some i-out-of-rn linear secret sharing scheme with 
security parameter k, owned by an appropriate subset of the choosers. 

One particularly efficient instantiation of our construction can be built using a two- 
round PIR protocol, the length-flexible additively homomorphic public key encryp- 
tion II8I9II and design ideas of Aiello-Ishai-Reingold In the remainder of this section, 
we discuss this highly efficient instantiation. The steps of this protocol are assembled 
in order and summarized below. 

3 We note the database itself might play the role of a server, sending itself a message, causing 

dOT to be a protocol among m+ 1 parties. 
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1. The choosers collaborate to create a (t-out-of-m) threshold, length- 
flexible, additively homomorphic) encryption system. 

2. The choosers collaborate to compute the PIR scheme’s first message mo, 
using their shares of a (see Section I5!2ll . 

3. The choosers send the public parameters, E(a), and mo to the database. 

4. The database uses E(a) to blind the database, according to the Aiello- 
Ishai-Reingold transform (see Section lA^l) . 

5. The database runs the PIR protocol as usual, using mo and the blinded 
database (see Section 

6. The database sends its response rhi to the choosers. 

7. The choosers collaborate to decrypt toi. In our case, they decrypt the re- 
sponse a times and then split the remaining ciphertext into shares (see 
Section 15.21) . 


Highly Efficient Two-Party PIR and OT. A highly efficient two-party PIR scheme 
can be built from length-flexible additively homomorphic public key encryption iMlIl 
using design ideas of Kushilevitz-Ostrovsky m (e.g., following the presentation of 
Lipmaa E3). 

The database is composed of n £-bit strings. The chooser takes her secret a and 
constructs q = (qi , . . . , q Q ), the a-dimensional vector which indicates the position of 
cr in a Ai x • • • x A a coordinate system. In this system, index (*i, . . . , i a ) is resolved in 
the following manner: 

. . . , i Q )] = A[ii ■ A j + *2 • Ay + • ■ ■ + i a - 1 • A a + i a \ 

j = 2 j = 3 

The first query sent to the database is the encryption of qi with the corresponding 
public key. The database uses this to construct Z\[qi, *2, ■ ■ • , i a ], a new database with 
a — 1 dimensions . The next query is the encryption of q2 , the first coordinate of the same 
element in this new database. We iterate in this fashion a times. This is a standard trick, 
due to Kushilevitz and Ostrovsky EH and is used in the PIR scheme of Stern 03 . In the 
final round, the database’s response is the a times encryption of 6 t . In fact this process 
happens in one round, since the encryption of q= (qi . . . . , q Q: ) can be sent in a single 
message. When encryption is achieved using a length-flexible additively homomorphic 
public-key cryptosystem, this PIR protocol has S(k log 2 n + 1 log n) communication 
complexity, as shown by Lipmaa 1221 . 

A modification of this PIR scheme, using the Aiello-Ishai-Reingold transform, yields 
a highly efficient OT scheme. The chooser encrypts a using a homomorphic encryp- 
tion scheme and sends this to the database with the corresponding public-key. The 
database takes advantage of the homomorphic property of the ciphertext to compute 
a new database where each entry Sj is represented by E(rj(a — j) + 6 j), for some 
random ry. Thus, for all j a, the y-th element of the database is the encryption of a 
random element. The original Aiello-Ishai-Reingold transform suggests that the homo- 
morphic encryption scheme generated for this step be verifiable, such as the El-Gamal 
scheme, so the database can verify the correctness of the public-key sent by the chooser. 
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As we consider only honest-but-curious adversaries, we can re-use the homomorphic 
encryption scheme used in the original PIR protocol and ignore the need for verifiable 
keys. The rest of the OT protocol proceeds just as in the original PIR protocol, but the 
database’s response must now be decrypted a + 1 times to recover b a . This transforma- 
tion increases the communication complexity by a term of 1 + fc(log n + 1) bits, which 
does not effect the overall asymptotic complexity. 

Input Share Conversion. In our g-mOT scheme, the choosers hold shares of a using 
some linear secret sharing scheme. We describe below how the choosers can engage in 
an efficient f -private multiparty protocol to convert their shares of a into an encryption 
of q = (qi, . . . , q a ). For simplicity, we represent the database as the a = logn- 
dimensional 2 x • • • x 2 system 4 . 

The choosers interact to define a i-out-of-m threshold version of the length-flexible 
homomorphic encryption scheme. In reality, qi is a Ai-length bit string of Hamming 
weight 1. Locally, the database uses Efai), the bit-wise encryption of this value, to 
process the representation of the database at step i. In our simplified scenario (for all 
i, A i = 2) this bit string is simply q,; = b t ), where bi is the t-th bit in the binary 
representation of a. In other words, if we let A 1 denote the a — j-dimensional database 
constructed in round j of the PIR protocol, then 

= ^qj • A j [i\ + qj • Z\ i [2 i + 1] 

Since the encryption of the negation of a bit can be computed by the database, triv- 
ially, via the homomorphic property, it suffices to let q i = . Damgard etal. Q provide 

efficient, private constant-round multiparty protocols for computing shares of the binary 
representation of a secret, from shares of the secret. Using the homomorphic property, 
the choosers’ shares are encrypted and combined, and E( q), E(a), and the public key 
are sent to the database by a chooser. From this, the database can run its portion of the 
OT protocol, and send its response. 

Output Conversion. The response from the database is jointly decrypted a times by 
the choosers to recover £^(5 CT ), the desired element encrypted using the same f -threshold 
(length-flexible) additively homomorphic encryption scheme. This is already, in a sense, 
a share of 6 a . Using the homomorphic property, this ciphertext can be split into additive 
shares for the choosers, or a different type of sharing if desired. 

5.3 Analysis 

Claim. The complete protocol of Section l5!2l has 0{M log 2 npoly(m)) communication 
complexity and 0(log n) round complexity, where k is a security parameter, m is the 
total number of players, and the database is composed of n strings of bit-length t. 

4 For efficiency in communication complexity when using this representation, we require the use 
of length-flexible additively homomorphic encryption. It is possible to use a generic additively 
homomorphic encryption system and achieve sublinear communication complexity by using a 
different representation, at the cost of increasing the round complexity (by a factor of log n ) 
during this pre-processing phase. Such a choice would not effect the efficiency of the complete 
protocol. 
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Proof (Sketch). The primitives used by the input share conversion protocol have 
0(poly(m, log q )) communication complexity, where q is the size of the field in which 
cr lives. Since cr is a pointer into a table of size n, the communication complexity 
becomes, in our case, 0(poly(m, log logn)) = o(poly(m) logn). Also, the mes- 
sages passed between the database and the other parties are the same as those passed 
during the oblivious transfer protocol from Section 15.21 whose communication com- 
plexity is Q(k log 2 n + £ log n) . Thus, our complete protocol has 0(rn(k log 2 n + 
t logn) + poly (m) logn) = O ( k£ log 2 npoly ( to) ) communication complexity and 
0(log n) round complexity. 

Claim. The complete protocol of Section o is f-private, assuming the threshold 
length-flexible additively homomorphic public -key encryption scheme is IND-CPA 
secure. 

Proof (Sketch). The above security claim follows from the security of the share conver- 
sion protocols, from general composition theorems I5IT5I . and from the same security 
arguments of 11221 since (although we make use of the protocol in a non-blackbox man- 
ner) the transcript of the messages passed between the chooser and database in our 
protocol is identical. 

More specifically, the g-mOT protocol is (t,t,t — l,m) -secure, because the 
Aiello-Ishai-Reingold transform makes the OT scheme information-theoretically 
database-private. When the PIR protocol is converted into an OT protocol using a 
transformation that provides computational sender privacy, like the Naor-Pinkas trans- 
form <251 . the resulting mOT protocol is (f, t,t — 1 . t) -secure. The threshold, length- 
flexible homomorphic encryption scheme of Damgard and Jurik m is IND-CPA secure 
in the standard model, under the Paillier and composite DDH assumptions. 
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Abstract. We consider a new model for online secure computation on 
encrypted inputs in the presence of malicious adversaries. The inputs 
are independent of the circuit computed in the sense that they can be 
contributed by separate third parties. The model attempts to emulate 
as closely as possible the model of “Computing with Encrypted Data” 
that was put forth in 1978 by Rivest, Adleman and Dertouzos which 
involved a single online message. In our model, two parties publish their 
public keys in an offline stage, after which any party (i.e., any of the 
two and any third party) can publish encryption of their local inputs. 

Then in an on-line stage, given any common input circuit C and its set 
of inputs from among the published encryptions, the first party sends a 
single message to the second party, who completes the computation. 

Keywords: Computing with Encrypted Data, Secure Two-Party Com- 
putation, CryptoComputing, oblivious transfer. 

1 Introduction 

In “Computing with Encrypted Data”, first a public key is published by one 
party, followed by collection of data encrypted under this key (potentially from 
various sources and independent of the actual computation). Later, in an online 
stage, a computing party who possesses a circuit of a function acts on the en- 
crypted data, and sends the result (a single message) to the owner of the public 
key for output decryption. This wishful single message scenario for secure com- 
putation, was put forth as early as 1978 by Rivest, Adleman and Dertouzos m 
This model is highly attractive since it represents the case where a database 
is first collected and maintained and only later a computation on it is decided 
upon and executed (i.e., data mining and statistical database computation done 
over the encrypted database). However, in its most general form (and the way 
m envisioned it), the model requires an encryption function that is homomor- 
phic over a complete base (sometimes called doubly homomorphic encryption), 
which is a construction that we do not have (finding such a scheme is a long 
standing open problem and would have far reaching consequences); further, we 
have indications such a scheme cannot be highly secure 0 . 

In this paper we put forth a relaxation of the above model, that relies on 
two party secure computations, yet retains much of the desired properties of 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 298-1314,12007. 
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the original model, namely, it allows computing of any feasible functions over 
encrypted data, it further allows the data to come from various sources, and it 
employs a single online message as well. Our proposed relaxation is to allow two 
parties (rather than one) to publish a shared pubic key, and both parties hold 
shares of the private key and use their shares of the secret key to do computations 
on data encrypted with the public key. Once the public key is published, data 
contributors publish encrypted (committed) data as before (this is called the 
off-line stage). Then, in the on-line stage, one of the two parties (the compiler) 
is sending a single message to the second party (the cryptocomputer), that 
contains a circuit for a function to compute, and a garbled circuit of the same 
function, allowing the second party to compute the result securely (i.e., while 
keeping the inputs private, and gaining no computational advantage beyond 
what it can compute from the result and the inputs it knows). Note that because 
of its essentially non-interactive nature, our model is also particularly suitable for 
applications involving low-latency remote executions, such as for mobile agent 
applications (201 • 

We give two protocols in this model, which differ only in the cryptographic 
assumptions and the communication complexity. Both protocols are secure even 
against malicious parties, and both allow computing any polynomial function (or 
sequence of functions) by a single on-line message exchange, in a sense satisfying 
the original vision of m for computing with encrypted data. 

If we limit the input contribution to the two parties involved, our model 
matches naturally the theory of general secure two party computation (see 1 1 7IM 2\ 
and |20I2 1| for some of the earliest and the latest works in this area). While it 
may be possible to turn many of the works on two party computations to single 
message protocols (based on random oracle or non-interactive proofs), we have 
not seen this mentioned explicitly (the closest being gj) or a proof of security 
given for it. To the best of our knowledge none of the previous garbled-circuit- 
based two party secure computation results allows for data contribution by third 
parties (an issue that was not even modeled earlier). 

In the general two party computation setting, two parties Alice and Bob have 
private inputs xa and xb respectively, and wish to compute a function J(xa, x.n) 
securely, without leaking any further information. A particularly useful setting is 
where Alice and Bob have published commitments sa, sb on their inputs, which 
allows secure computation to proceed more efficiently. Applying our results to 
this setting, we can have Alice and Bob encrypt their input during the off-line 
stage (independently of any computation); then the subsequent secure compu- 
tation (or “cryptocomputing” m) only requires a single message per function 
to be computed. A similar result was previously known only for functions of 
restricted complexity classes (e.g., 123 show how to securely compute functions 
in NC 1 ), while we provide a protocol for any function in P. 

The idea of minimizing the on-line stage in cryptographic primitives goes back 
to the notion of Off-line On-line Signature of Even, Goldreich and Micali where 
they minimized the amount of computations of a signature at the on-line stage 
(after a message is given as an input) (T2| . 
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1.1 Our Model and Results 

As outlined above, we propose the off-line/on-line model for crypto-computing 
using a single message (and thus optimal round complexity) for the on-line stage. 
For k > 2, there are parties T\ , T\. We name Pi as Alice and P 2 as Bob. 
The model consists of the following four stages. 

1. Alice and Bob publish prospective shares of the public key, ua and yn- 

2. Separable Data Collection: Parties Pi,..., P^ publish their data, encrypted 
by a shared public key y. 

3. Communication: Given an input circuit C with m designated inputs bits, Al- 
ice sends to Bob a single message containing a set of indexes to the published 
encrypted inputs {idxi}‘^l 1 , and a garbled circuit C. 

4. Computation: Bob decides if the message is consistent with the input circuit 
and its inputs, verifying that the indices to the encrypted inputs are valid, 
and that C is a garbled version of C. If all these tests succeed, Bob computes 
C on the committed inputs. 

Note that since we deal with any polynomial-size function (or circuit), we 
can have some of the data encode circuits and the on-line circuit be a universal 

one PH- 

We give two protocols that are secure within this model. The first is based 
on the traditional and quite minimal DDH assumption and uses ElGamal en- 
cryption, and the other is based on the DCR assumption and uses the simplified 
Camenisch-Shoup encryption scheme (introduced by [2U] i . The latter protocol 
achieves better communication complexity, at the price of using a stronger more 
recent assumption and encryption method. 

We use non-interactive zero-knowledge proofs (NIZK) for the malicious case, 
which can be achieved either in the common reference string model or in the 
random oracle model. Under the common reference string model, the NIZK PoK 
of De Santis and Persiano |2E| can be used, assuming dense secure public-key 
encryption scheme. Under the random oracle model, the well-known Fiat-Shamir 
technique m can be used. 

A main primitive our work relies upon is a conditional exposure primitive we 
call COVE (Conditional Oblivious Decryption Exposure). COVE is a two-party 
non-interactive protocol, which allows Bob to learn the plaintext of a cyphertext 
c, if two other cyphertexts a, b encrypt the same value. Unlike other conditional 
exposure primitives (e.g. Gertner et al HE! and Aeillo et al jU), in CODE the 
three cyphertexts a, b, c are encrypted with a shared public key, such that third 
parties can contribute them, and neither Alice nor Bob alone know anything else 
about the result of COVE. The conditional exposure primitive of Aeillo et al. [TJ 
is a natural translation of a logical ’if a equals b’ to arithmetics on cyphertexts 
using encryption that is homomorphic in the plaintext. The COVE primitive 
uses homomorphic properties of the keys and of the plaintexts and gives more 
freedom to design protocols that include inputs shared among the parties. 

This allows for oblivious yet secure “input directed navigation” in a garbled 
circuit based on a single trigger, given encrypted inputs. The technique also 
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allows efficient combination with zero-knowledge proofs to assure robustness of 
the overall protocol. 

We note that we concentrate on a single message computation and present 
the protocols with respect to the most efficient random oracle based proofs. 
Modifying the scheme to employ non-interactive proofs in the standard model 
and modifying the single message scheme to consider the universal composability 
model of security are possible as well. 

1.2 Previous Work 

As mentioned above, Rivest, Adleman, and Dertouzos m offer perhaps the first 
proposal for the study of blind computation on cyphertexts, considering them as 
a primitive for private data manipulation. Feigenbaum and Merritt subse- 
quently urged more focused investigation on cryptosystems with algebraic homo- 
morphisms. The term “CryptoComputing” and the first non-trivial instantiation 
originated with Sander, Young, and Yung E3, who present a CryptoComuting 
protocol for functions / in NC 1 . In their model, Alice does not publish her input 
sa, but instead sends it (hides it) within her transcript, and information theo- 
retic security is achieved with respect to Bob. This is to say that Bob learns no 
information whatever about sa apart from the output of /. Beaver j2j extends 
m to accommodate any function in NLOGSPACE. Other reduced round secure 
computations (two message constructions, in fact) have been suggested by Naor, 
Pinkas, and Sumner m and by Cachin, Camenisch, Kilian, and Muller . Their 
approaches are based on the two-party secure function evaluation scheme of Yao 
m and Goldreich, Micali, and Wigderson £Zj. 

Recently the area of robust two-party computations in constant rounds has 
gained some attention. Specifically, the works of Jarecki and Shmatikov |2U| . 
Lindell and Pinkas and Horvitz and Katz gave protocols for two-party 
computation using Yao’s garbled circuit that are secure against malicious ad- 
versaries. E0| uses a modified Camenisch-Shoup verifiable encryption scheme j0| 
to allow the party that sends the garbled circuit to prove its correctness. Our 
simplified-Camenisch-Shoup based protocol was devised by combining the ideas 
of our first protocol with those from (23, in order to satisfy our model with 
better communication complexity. Lindell and Pinkas EU use a cut-and-choose 
approach to proving security of Yao’s garbled circuit against malicious adver- 
saries and their method is more generic yet requires a few more rounds. Horvitz 
and Katz [H3( showed a UC-secure protocol in two rounds (four messages) us- 
ing the DDH assumption. In their protocol, the two parties essentially run two 
instances of Yao’s protocol simultaneously. 

2 Preliminaries 

In the primitives we describe below, as well as in our main protocol, we assume 
that Alice and Bob agree in advance on some groups over which the computation 
is being done. 
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Let t be a security parameter. In the constructions below, it is generally 
appropriate to let i = log q. We say that a function /(/) is negligible if for 
any polynomial poly, there exists a value d such that for any l > d, we have 
f(l) < l/\poly(l)\. To achieve non-interactive proofs in the malicious case, we 
also assume a random oracle for the underlying hash function. 


2.1 ElGamal Cryptosystem 

We employ the ElGamal cryptosystem EH in our first construction. ElGamal 
encryption takes place over the group Q q over which it is hard to compute discrete 
logarithms. Typically, Q q is taken to be a subgroup of Z*, where q | p— 1, for 
large primes p and q. We denote g as a published generator of Q q a 

Let y = g x be the public key for the secret key x. The encryption of a message 
m (denoted E y (m)) is ( g r ,m ■ y r ) for r Gr [!,(/]. The decryption of a cyphertext 
(a,/3) (denoted D x (a,/3) is /3/a x . The ElGamal cryptosystem is semantically 
secure under the Decision Difhe-Hellman (DDH) assumption m over Q q . We 
intensively use the multiplicative homomorphism of the ElGamal cryptosystem: 
Ey(m i) • E y (m 2) = E y (rn\ ■ mz). 

Our protocol makes use of a private/public keys (xa, Va = g XA ) for Alice, as 
well as a private/public key (xb,Vb = g XB ) for Bob. We denote by y the shared 
public key • Vb, for which the corresponding private key is xa + Xb- Note 
that y may be established implicitly by Alice on learning yn and by Bob on 
learning yA ■ In particular, there is no need for interaction between the parties 
to determine the shared key. Since the public keys are published, we assume all 
parties hold the joint public key y. 


2.2 Simplified- Camenisch-Shoup Cryptosystem 

For sCS cryptosystem, Alice and Bob work over Z* 2 for n = pq, where p = 
2 p' + 1 ,q = 2 q' + 1, and p, q, p' . q' are all primes, and |p| = \q\. Let n' = p' qp' , 
and h = (1 + n). The group Z* 2 has unique (up to isomorphism) decomposition 
as the direct-product of four cyclic groups Z* 2 = G n x G n i X G 2 x T, where G n 
is generated by h and has order n, G n > has order n ! , and G 2 and T are of order 
2. Let g' be a random element of Z* 2 . We know that the order of g' divides 
<f>(n 2 ) = n ■ 4>(n) = Ann' . With very high probability, the order of g' is a multiple 
of n ! , and g = ( g') 2n thus has order n! and is a generator of G n >. 

For the simplified-Camenisch-Shoup (as well as the original Camenisch- 
Shoup), all operations take place in Z* 2 . Note that h has order n and that 
h c = 1 + cn (mod n 2 ). The DCR assumption | 23 | is that given only n, random 
elements of Z* 2 are hard to distinguish from random elements of P, which is the 
subgroup of Z * 2 consisting of all nth powers of elements in Z* 2 . 


In the settings where p = 2q + 1 and Q q is the set of quadratic residues in Z*, 
plaintexts not in Q q can be mapped onto Q q by appropriate forcing of the LeGendre 
symbol, e.g., through multiplication by a predetermined non- residue. 
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The sCS encryption scheme, introduced by j2D| (and based on the CS scheme 
of 0), is semantically secure under the DCR assumption. 

Key generation. A private key is xG [0, ■/p]. A public key is (n, g, y) for y=g x . 

Encryption. We map the message to to an integer in (— f , §]■ The encryption 
E PK {m) is a pair (u. e ) = (g T , h m y r ) for a random integer r G [0, j\. 

Decryption. Given a pair (u,e), if this is a valid cyphertext it is of the form 
( g r , h m y r ). Let m = ( A?) 2 - If m is valid, it is (1 + n) m = 1 + nm (mod n 2 ) for 
some m, so check that n|m— 1 and reject otherwise. Else, let m' = (m— l)/n (over 
the integers), let to" = m' / 2 (mod n), and recover the message to = to" rem n, 
where ( a rem b) is a if a < b/2 and otherwise it is b — a. 


2.3 COVE (Conditional Oblivious Decryption Exposure) 

The linchpin of our construction is a protocol that we newly introduce in this 
paper. We refer it to as Conditional Oblivious Decryption Exposure. One of the 
main differences between COVE and previously suggested conditional exposure 
primitives is that COVE allows for third parties to contribute encryptions using 
a public key, and then Alice and Bob, who share the private key can perform 
the conditional exposure. 


Definition 1 (Conditional Oblivious Decryption Exposure). Let ( xa , Ua) 

and ( xb,Vb ) be two secret/public key pairs and E (resp. D) be the encryption 
(resp. decryption) function. Let ci,C2,C3 be three cyphertexts encrypted under 
the joint key y = yA- yB ■ The functionality COVE is defined by 


((ci ,C 2 ,C3,XA,yB),(x B ,yA)) 


(_L, (ci,c 2 ,c 3 ,D x (c 3 )) if D x (d) = D x (c 2 ) 
(ci , c 2 , c 3 , r)) otherwise. 


Where x = xa + xb and r Gr Q q . 


In this functionality, the decryption of c 3 is exposed to the second party con- 
ditioned on ci = c 2 (i.e., if they encrypt the same message). Moreover the first 
party is oblivious of the outcome of the protocol. 

We show protocols for secure implementations of COVE functionality using 
eitehr ElGamal and sCS encryptions. impCODE is a protocol for the COVE 
functionality secure in the honest-but-curious case. 


impCODE. Let’s call the first party Alice and the second party Bob. The COVE 
implementation consists of a single COVE transcript sent from Alice to Bob. 
Let ci = (a, (3) = (g ri , m^ 1 ), c 2 = (7 ,6) = ( g r2 ,m 2 y r 2 ), and c 3 = (A,/x) = 
(g r3 , TO 3 j/ r3 ). Alice sends (e, (, D) to Bob where 

1. e = (a/7 ) e and ( = {(3/8) e , for e e R Z q 

2. D = (e\) XA . 
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Bob computes m3 = jjjjj where D' = (e • A) XB and outputs (ci, C2, C3, m3). 
Note that 



that is, if mi = m 2 , then m 3 = m 3 , as required. 

Theorem 1. The protocol impCODE securely implements the functionality 
COVE for the honest-but- curious two parties under DDH assumption. 

Proof. We show a simulator S = ( SIMa , SIMb ) for impCODE. The case of 
corrupted Alice is easy; since Alice does not get any message from Bob, the 
simulator SIMa is trivial. For a corrupted Bob, the simulator SIM B has to 
simulate the view of Bob. Formally, 

{SIM b ((x b , Va), (ci, c 2 , c 3 , d))} « {views ((ci,c 2 ,C3,x A ,y B ),(x B ,yA))} 

In other words, given the input and output of Bob, SIMb has to simulate the 
impCODE transcript (e,(,D) that Alice sends to Bob. The simulator SIMb 
computes 


ee R Z q , e={ahY, C=CW, D' = (eX)** , D = 


and outputs (e, C, D). The simulated (e, C) have the same distribution as in the 
real protocol. Given (e, £) and d. D is uniquely determined. 

3 Honest-But-Curious Protocol 

3.1 Intuition 

In our one-message secure function evaluation scheme, Alice sends a garbled 
circuit to Bob, and Bob computes the function / using the garbled circuit. 
Let C be a circuit with gates G\, G %, . . . , G rn that computes the function / of 
interest, and let T), T 2 , . . . , T m be the corresponding truth tables. Sometimes we 
interchangeably use the term gates and tables. 

First of all, Alice garbles each table by encrypting all the entries and then 
permuting the rows. See Figure Q for example, where Alice garbled an AND 
gate with shuffling permutation (12 3). 

As in Yao’s garbled circuit, Bob’s computation of a gate Gj depends on the 
computation of the two gates Gi,Gk associated with the inputs to Gj, where 
these gates’ outputs are used in the decryption of the encrypted truth table 
Tj. One notable difference from Yao’s technique, is that here we add another 
level of separation between these gates’ (encrypted) outputs and the key for 
decrypting gate Gj - this is done using COVE. We thank the annonymous referee 


Two-Party Computing with Encrypted Data 305 


| T \ || I L (left input) | I H (right input) | O (output) | | T? || F | I H \ O \ 


1 

0 

0 

0 


1 

m 

m 

£[0] 

2 

0 

1 

0 


2 

m 

£[0] 

£[0] 

3 

1 

0 

0 


3 

£[0] 

m 

£[0] 

4 

1 

1 

1 


4 

m 

E[ 1] 

E[ 1] 


and E [g 1 ] respectively. We still use the notation E[0] and E[l] to handle both 
ElGamal and sCS encryption schemes. 


Fig. 1. Alice Garbles an AND gate Ti with permutation (1 2 3) and gets T* 


T? 

I L 

jir- 

O 

p| ugs K _ ?1 

1 

E[ 1] 

£[0] 

£[0] 

(n,y,y,n) 

2 

m 

m 

m 

( n >y>y> n ) 

3 

F[0] 

E[ 1] 

m 

(n,y,y,n) 

4 

m 

E[ 1] 

E[ 1] 

(y,n,n,y) 


T° 

I L 

I ^ 

O 

P| ugs [7 _., 

1 

E[ 1] 

£[0] 

£[0] 


2 

E[0] 

E[0] 

E[0] 


3 

E[0] 

E[l] 

E[ 0] 


4 

m 

E[ 1] 

E[ 1] 



Fig. 2. Plugs are now added 

for commenting that indeed, in the honest-but-curious case, it is enough for us 
to use COVE only in the input gates (where Yao’s protocol uses Oblivious 
Transfer), improving our construction’s efficiency and readability. However, using 
COVE is still required for assuring security in the malicious case. 

With only isolated garbled tables, however, Alice cannot have Bob compute 
the function. She needs to give to him ‘wiring information’ between a row of a 
table (output) and a row of an upper-level table (input). The wiring information 
is hereafter called a plug. See Figure [21 for example. Suppose that T]‘ is the upper- 
level table of Tf where T) 6 ’ s output is propagated into Tj”s left input. We denote 
the plugs in the u-th row of the table T}‘ by Plugs^j] (v), and, more specif- 
ically, Plug^^WjU;) denotes the w;-th element of PI ugsj,- (v). For example, 

Plugs Mi] (i| = ( n,y,y,n ) and Plug^.^l^) = y. The plug Plug^tM) = y 
means that the output value on the first row of T f is equal to the left-input value 
on the second row of Tj\ On the other hand, from the plug Plug^^ (1,4) = n, we 
know that the output value of the first row of T f is different from the left-input 
value on the fourth row of Tj\ 

However, if Bob is honest-but-curious, he might be able to find out more 
than the output of the function by following other computation paths because 
all the plug information is exposed. For example, even if Bob determines that 
Oi is the correct output for table T-‘. he can experiment and try computing 
another computation path using a different output O' on another row of the 
same table. Such an attack, if successful, can enable Bob to explore a rich set of 
different computational paths for /, potentially leaking information about the 
secret input. 
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The aim of our protocol is to restrict Bob’s exploration exclusively to the 
correct computational path. Suppose that we have three tables T-\ T!‘ and T% 
where the output of Tf and the left input of Tj are connected together and so 
are the output of T k and the right input of Tj\ Let 0^ Vi (resp. Ok. Vk ) be the 
output for a given row Vi in T* (resp. for a given row v'k in T|), and If 1 (resp. 

. ) be the left (resp. right) input for a given row Vj in Tj\ Now suppose that 
Bob has the plugs Plug [*_► j] (l% ) and Plug^^j (vk), and wants to retrieve plugs 
in the table T-‘. We want to make sure that Bob obtains the plug for the Vj-th 
row of the T!- only when 0^ Vi = I ^ v . and Ok. Vk = lf^ v • Since the same will be 
true for all gates in C, Bob can only follow the correct computational path, and 
learns nothing about other paths. 

In order to achieve our goal, for each row of a table Alice generates an en- 
cryption key pair ( pk , sk), exposes the public key pk , and hides the secret key 
sk by encrypting it with the global encryption key (i.e., y = Pa • Vn)- She then 
encrypts the plug information with pk. She wants Bob to obtain the key sk and 
therefore get the plug information only when Bob follows correct computation 
path. The idea is using COVE transcript as a plug. Recall that COVE , given 
three cyphertexts ci, C 2 and C 3 , outputs the decryption of C 3 when c± = c 2 . Here, 
ci and C 2 corresponds to Oi tV( and Ij (or Ok, Vk and I . ) , and and C 3 to the 
cyphertext of sk. Below, we describe our protocols in detail. 

3.2 Protocol Details: Publication of Keys and Inputs 

Alice and Bob publish their keys y .4 and y b ■ Input contributors encrypt input 
bits using the public key y = Va ■ Vb- Let s be an n-bit input string that is 
contributed by input contributors. Denote the i-th bit of s by Sj. When El- 
Gamal encryption scheme is used, s is encrypted as {(g ri , g Si ■ y r< )}Jt_ 1 , where 
‘Ti&RZq. When sCS scheme is used, s is encrypted as {(g ri , h Si •y’’*)}" =1 , where 
fi £r [0, n/4]. 

3.3 Protocol Details: Alice 

Structure of the Table. Alice reads Bob’s published key and input cyphertexts 
and computes y = paPb- Now, in order to incorporate COVE we must extend the 
underlying table structure to incorporate plugs and associated keys. To do so, 
we append two columns to the basic table Tf , and denote the resulting expanded 
table by Tj. See Figure 01 

Here, Bob obtains a key ki >v 1 (resp. ki tV 2 ) from the plug of the lower-level 
table when he makes a successful match against the left (resp. right) input on 
the row v. 

Construction of the Overall Garbled Circuit. Alice has to construct three 
types of tables: input, output and intermediate gates. First, Alice constructs the 
set of intermediate tables {Tj} as follows. 
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1. Alice mixes each table T) and encrypts all the entries to yield T}‘. 

2. For each table T-‘ and row v, Alice selects £r Z q to construct two 

columns of K L -di\dK R in Tj. 

3. Alice computes Plugs^_,. j(u) for each row v. 


Ti 

1^ 

I H 

O 

K L (left key) 

K H (right key) 

Pl UgSfi . j] 

1 

Ey( 1) 

Ey( 0) 

Ey( 0) 

E y (k iA1 ),g^ 

Ey(ki, 12), 

E Htl (p itll ),...,E ZiA (p iM ) 

2 

Ey{ 0) 

Ey( 0) 

Ey( 0) 

E y {ki, 2 \), g ki ’ 21 

Ey (fei,22 ) , g K -™ 

E H ^ Pi ,2x),...,E H ' 2 {p iM ) 

3 

Ey( 0) 

Ey( 1) 

Ey( 0) 

Eyihjilg^ 

Eyfan), g k 

E, i , 3 ( P i,3x),...,E Zit3 (p iM ) 

4 

Ey(l) 

Ey( 1) 

^(1) 

E y (.k iA1 ),g k 

Ey(ki, 42), g ki ^ 

E ZiA (p iA1 ),...,E ZiA (p iM ) 


1. The value ki >v ,„ for v €. [1, 4], w €E [1, 2] is chosen randomly from Z q . 

2. The public key z z>v = (/' • " 1 • </' '■■ v2 for v 6 [1,4] is used to encrypt plugs of the 
u-th row. 

3. When we want to emphasize on the abstract view of the plug pi, V w (resp. 
Ezi, v {Pi,vw)), we use the notation Plug^^u, w) (resp. Plug^^w, w)). 

Fig. 3. Schematic depiction of table Ti 

Inputs to the circuits are plugs connecting input ciphertexts and the first-level 
intermediate gates. Again, plugs are constructed using COVE. 

Output gates have much the same structure as intermediate gates. The only 
difference is in the last column. Rather than providing encrypted plugs to enable 
the computation to be continued, Alice provides encrypted output bits for the 
function /. 

3.4 Protocol Details: Bob 

Now let us consider how Bob evaluates the transcript sent by Alice. We assume, 
by recursion, that when Bob tries to evaluate the output of gate Gj , he has the 
plugs (i.e., PlugSj,;^] (vi) and Plugs^^ (vk)) for these ciphertexts into Tj. 

1. For each v e {1,2, 3, 4}, Bob performs impCODE with the two plugs 
Plugjj^j] (yi,v) and Plug[ fc ^ 7 ] (vk,v) trying to obtain keys kj , v i and kj tV %■ 
If he fails (by checking if g n = g k * - vl , where r/ is the output of impCODE ), 
he tries the next row. 

2. If he succeeds, he decrypts Plugs^^. j(») with the decryption key (kj iV i + 
kj tV 2 ) and gets the plug information PlugSy^. j(i>). Note that Zj tV = 

3. He proceeds with the computation using the obtained plugs. 

When Bob has obtained all outputs from output gates, and so he learns the 
output of the circuit. 
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3.5 Communication Complexity in the Honest-But-Curious Case 

Consider a single truth table; Each row of the table has 12 values of Z* except 
the plugs. Plugs of each row has 4 • 4 = 16 values of Z*. Therefore, each (output 
or intermediate) table contains 4 • (12 + 16) = 112 = 0(1 ) values of Z*. Each 
input plug has 5 values for Alice, and 3 values for Bob. Thus, we need 8n values 
of Z* for inputs of Alice and Bob. We need another n bits for Bob to send the 
result of the function back to Alice. Summing all the above, it is clear that the 
total communication complexity is 0((m + n) log p) bits. 

4 Full Protocol 

4.1 Intuition 

While the protocol described above is secure assuming honest-but-curious par- 
ticipants, it it not secure against active cheating on the part of Alice. 

A corrupted party (either Alice or Bob) can publish a public key which is 
not chosen randomly. For example, Alice can wait for Bob to publish his public 
key yn, pick a shared private key x of her choice, and send g x /yB as her public 
key yn- This gives Alice knowledge of the shared private key and the power to 
decrypt any of the inputs (including Bobs: she just needs to re-encrypt Bob’s 
input with yn- and then she can decrypt them with x). To overcome this kind 
of attacks, the malicious case protocol requires that Alice and Bob publish non- 
malleable PoK for the knowledge of the discrete logs of their respective public 
keys, together with their public keys. We note that both in the common reference 
string model and in the random oracle model, adding non-malleability to NIZK 
PoK EH! is simple: In the CRS, we follow the technique of ESI; In the random 
oracle model, adding non-malleability to Fiat-Shamir style NIZK PoK m ^ 
simple: include the name of the publisher in hash function evalution. 

A corrupt Alice may cheat in the construction of the gate. First, Alice may 
send encrypted truth tables that do not correspond to the gates of the circuit. 
In Section 14.21 we show how Alice can prove that the truth tables are correct. 
Second, Alice may fake the plugs. Specifically, Alice may use the fact that the 
plugs are encrypted, and encrypt random values instead of valid plugs at selected 
locations. If Bob does complete the protocol, Alice learns that these invalid plugs 
were not decrypted, thus learning about Bob’s computation path. 

Therefore, in our full protocol, Alice sends Bob not only the garbled circuit 
but also the proof of its correct construction. The proof comprises two parts: the 
proof of correct construction of basic gates, and the proof of correct construction 
of plugs. 

4.2 Proof of Correct Construction of Basic Gates 

In this section, we give a zero knowledge proof of knowledge for a correct con- 
struction of gates. We assume that the circuit consists of NAND gates. 
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Zero-knowledge Proof of Knowledge. Informally, a Proof of Knowledge is a 
proof for a relation R, in which the prover convinces the verifier that an instance 
is in the language, and also that the prover knows a witness for this instance, 
rather then just the existence of such a witness. In a (standard) proof of knowl- 
edge for the discrete log, the prover convinces the verifier that she knows the 
value of b, such that a = g b , when a is known to both. We denote such proof by 
PK{b : a = g b }. There are many variants on these proofs, such as in m- In this 
paper, we make use of variants in which Alice proves conjunctive statements, 
and statements regarding her knowledge of sets of discrete logs. See [912 915 j for 
a description of how to achieve such variants in an efficient manner. 

Proof of Boolean Plaintext. Let cr° = 1 and cr 1 represent boolean values 0 and 
1, respectively. Specifically, we define o := g in ElGamal encryption while cr := h 
in sCS encryption. Cramer et al. |HJ showed how to prove that the plaintext of 
an ElGamal cyphertext A = [a, ft) is Boolean, i.e., 

Bool(A) d = PK{r : a = g r , (/? = y r or ft = a ■ y r )}- 

Proof of Equality /Inequality of Boolean Plaintext. Using ZK PoK for the 

discrete log it is easy to prove equality /inequality of the plaintexts of two ElGa- 
mal/sCS cyphertexts. Given the two cyphertexts A = (a, (3) and A! = (a', ft), 
let (e, S) = (a/a 1 , (3/ ft'), and let (p,v) = {aa! , /3ft fa). To prove equality of 
D X (A) = D X (A'), we give PK{e : y = g e , 6 = e e } and denote such proof by 
Eq(A, A'). To prove inequality of D X (A) ^ D X (A'), we give PK{e : y = g e ,p = 
u e } and denote such proof by Neq(A, A!). 

Shuffling Lists of Cyphertexts. We adopt a protocol of H3 for non- 
interactively proving that two lists of cyphertexts are equivalent, and that one 
is a permutation of the other. We denote this protocol Shuffle and note that the 
length of the transcript of the protocol is linear with the number of cyphertexts. 
While the protocol of is originally designed for ElGamal encryptions, it can 
be easily applied to sCS encryptions too. 


It 

Ir 

O 

Ai 

Si 

Ci 
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b 2 

c 2 

a 3 

b 3 

c 3 

a 4 

Bi 

c 4 
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Ir 

O 

A'i 

B’i 

cl 

A ' 2 

b ' 2 

Cl 

a 3 

B'z 

C ' 3 

a ' 4 

b 4 

cl 


Fig. 4. base NAND gate, NAND gate, and OUTPUT gate 


Correct Construction of NAND Gate. For an NAND gate, we give a two- 
part proof; the first part shows the structure of the gate. However this part leaks 
information on the truth table, thus the second part shuffles and re-encrypts the 
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(a<,3i, A, si) 

(ai,32,0i,32) 

fet,8 ,M 
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Plugs^^] (3) 

4 

K41,A,4l) 

(ai, 42, A, 42) 

(7<.4,A,4) 

{A4.41.hi,4l),«<,4i 
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Fig. 5. Variable-based representation of table Ti and Tj 

truth table entries. For two ElGamal/sCS cyphertexts Y = ( a,/3 ) and Y' = 
( a',/3 '), denote 7fflY' = (aa\fJj3 r ). Let X = (1, 1/a 2 ) be a trivial encryption 
of 1/a 2 . We use the following fact to construct the base gate: 

c = a NAND b «<=► a + b+ 2(c - 1) e {0, 1}. 


The base NAND gate: 

1. Bool (Ai Bool (C 4 ) 

2. Eq(A 1; A 2 ), Eq(A 3 ,A 4 ), Neq^As) 

3. Eq (Bi.fla), Eq (B 2 ,B 4 ), Neq{B 1 ,B 2 ) 

4. Bool(Aj ffl Bi ffi Ci ffi Ci ® Jf) for i e {1, . . . ,4| 

The second and the third items show the input columns are valid. The last item 
shows the output columns are valid. Note that the proof in this step reveals 
some information such as equality of cyphertexts in the same column. Hence, 
the second part: Shuffle((Aj, Bj, Ci)f _ 4 , (A' i; B', G()f =1 ). 

Correct Construction of an OUTPUT Gate. The proof for the correct 
construction is as follows: 

The OUTPUT gate: 

1. BooKAi), Bool(A 2 ), Bool(Hi), Bool(£ 2 ) 

2. Neq(A 1; A 2 ), Eq(A l5 Bi), Eq(A 2 ,H 2 ) 


4.3 Correct Construction of Plugs 

Structure of the Plug. We modify the structure of Plug [,_>.,•] (i>, w). a little bit 
in the full protocol. We assume that the output of the gate G t and the left input 
of the gate Gj are connected together. See Figure 0 for the representation of the 
two tables Ti and Tj. The plug is an encryption of impCODE transcript^ for 

2 If the output of Gi were the right input of Gj, it would be ci = (aj, w2 , 0j,w2), c 2 = 
C 3 = {\j,w2,Pj,w2). 


Two-Party Computing with Encrypted Data 311 


ci = (a j, wi, /3j,wi), C2 = ('Yi,v,8i,v), C3 = The actual transcript 

will be of the following form Plug^^ (»■ > w) = (e, (■ D), where 



D = (e- \j tW i) XA 


e £r Z q , e 


Note that we don’t have to encrypt e or (; the exponent e for e and ( is 
already hard to find due to the hardness of DLP. So we only have to apply 
ElGamal encryption to D. The plug now looks as follows: 

Plugji-^®, w) = (e, C, ( g r , D ■ *£„)), where r e R Z q . 

We denote the ( g r ,D ■ z[ v ) by 

When Bob obtains the (decrypted) plug Plug^^u, w), he executes imp- 
CODE scheme and gets an output k by computing 


k = where D' = (e • Xj, w i) XB . 


He checks if g k = Kj. w \ holds; if it holds, he decides that (aj >w i- f3j,u,i) = 


ZKVerify: Proof of Correct Plug Construction. The goal of the ZKVerify 
proof is for Alice to prove that the encrypted COVE transcripts are valid. Specif- 
ically we show how to generate the proof for the plug The plug 

is encrypted using a key Zi iV = Ki iV i ■ Hi )V 2 = g k ’’"' ■ g ki - v2 (See Figure 01 and 01 
for notations), and the corresponding secret key is obtained by Bob only if he 
learns correctly ki jV 1 and k 3)V 2 (this limits his computation to a single computa- 
tional path in the circuit). ZKVerify proves two things: (1) given two ciphertexts 
E y (ki iV i),Ey(ki <V 2 ), the encrypted part of the plug, i.e., (g T ,D ■ z[ v ) is actually 
encrypted using the public key z % , v \ (2) she knows the discrete-log used in the 
rest part of the plug: 



In the ElGamal based construction, we assume that both p and q are safe 
primes such that p = 2q + 1 and q = 2r/ + 1 (i.e., p is a double decker). It is 
claimed that there are infinitely many such tuples of primes, and they are easy 
to find. We let k^ v \ = f T1 , and = f T 2 , where / is a generator in Q q >. The 
proof ZKVerify ((A^i , p itV ± , g Ki ^) , (A i|1>2 , Pi , V 2 , g Ki ’^) , Plugs^^u, w)) 
is as follows: 

PK Ur 1 ,T 1 ,r 2 ,T 2 ,e,r 3 ,x A ) : \i, v i = g ri , (H,v 1 = f T1 * y ri , «i,«i = 9 ^ » 
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The above proof uses proofs of knowledge of the double discrete log, which can be 
constructed by using Camenisch and Stadler [ 3 . They showed how to construct 
such proof in their paper, and this costs 0 {£) communication complexity (£ is 
security parameter). 

For the sCS based protocol, ZKVerify is simpler, and we do not need to 
construct ki,k2 in a special form. The proof shows directly that K{, v i = g ki ^. 
The proof ZKVerify is as follows: 

PK^(r 1 ,Ti,r2,T2,e,r 3 ,XA) ■ X i<v i=g ri , [H,vi = h ki ’ vl ■ y ri , Ki, v i = g ki ’ vl , 

\v2 = g r2 , m,v2 = • y r2 , m,v2 = g ki ’ v2 , 

e = {aj,wihi,v ) e , C = ifhvY , 

VA = g XA , v = g rs , D = z r i% ■ (e • f A 

Note, in the sCS based protocol, the ZKVerify proof does not include a double 
discrete log proof. 

4.4 Protocol Details: Input Contribution 

The parties contibuting inputs might be malicious. For example, an input con- 
tributed may generate a committed input by mauling other committed input. 
To avoid this kind of attack, the input contributors add non-malleable zero- 
knowledge proofs of knowledge to each of their committed input bits. In addition, 
the parties who manage the public directory that stores the committed inputs 
check the committed inputs and reject any inputs that have the same proofs. 

4.5 Protocol Details: Alice 

Alice sends the tables as in the honest-but-curious case, and in addition, for 
each gate Gj, she sends a proof of correct construction of the gate and of the 
plugs ZKVerify , g Ki ' vl ) , (X itV2 , m, V 2 , g Ki |V2 ) , PlugS[^](u)), 

where by Plugs^j] (v) we mean the four encrypted pairs, one for each COVE 
transcript, which are all encrypted using Zi tV = g K *^ 1 + K ‘^ 2 . 

4.6 Protocol Details: Bob 

In the full version of the protocol, Bob first verifies that all the proofs Alice 
sent are valid. That is, for each gate Gi Bob verifies that the proof of correct 
construction of the gate is valid. For each row v of table T,, Bob verifies that 
the proof for correct encryption of the plugs Plugs^^u) is valid. If any of the 
proofs is invalid, Bob aborts the protocol. Otherwise (if all proofs are valid), Bob 
continues as described in Section 0 

4.7 Communication Complexity in the Malicious Case 

In addition to the communication costs of the garbled circuit, the malicious 
case incurs the complexity of sending the additional proofs. When ElGamal 
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encryption is used, the total communication complexity costs are 0((m ■ i + 

n) logp bits mainly due to proof of double discrete log. When sCS encryption is 

used, the total communication complexity costs are 0((m + n) logp) bits. 
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Abstract. We present two block cipher distinguishers in a setting where 
the attacker knows the key. One is a distinguisher for AES reduced the 
seven rounds. The second is a distinguisher for a class of Feistel ciphers 
with seven rounds. This setting is quite different from traditional set- 
tings. We present an open problem: the definition of a new notion of 
security that covers attacks like the ones we present here, but not more. 

Keywords: Block Cipher, Cryptanalysis, Distinguishing algorithms, 
AES, Feistel ciphers. 


1 Introduction 

The research leading to this paper was triggered by the following example. Con- 
sider an n-bit block cipher and a plaintext /ciphertext pair for which the least 
significant s bits in both n-bit strings are zeros. With s < n/2 such a pair can 
be found for any reasonable block cipher in time equivalent to approximately 
2 s encryptions. Imagine a block cipher where if one is given any key k, one can 
find such a pair for k in time much less than 2 s , but where no efficient attacks 
are known in the traditional black-box model. Should we recommend the use of 
such a cipher? We don’t think so! 

In the next two sections we present two attacks — or rather distinguishers — for 
block cipher constructions, where the attacker knows the key. Section |2| presents 
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a distinguisher on AES reduced to seven rounds; Section EJpresents distinguishers 
for a class of Feistel ciphers, also with seven rounds. At the first glance it might 
appear strange to consider attacks on a cipher where one is given the secret key. 
However, by studying this type of attacks, we might learn something about the 
security margin of a cipher. Intuitively, it seems clear that if one cannot find 
distinguishers for a block cipher when given the key, then one cannot find a 
distinguisher where the key is secret. Secondly, in some cases (mainly for block 
cipher based hashing) block ciphers are used with a key that is known to the 
attacker, and at least to a certain extent, the key is under the attacker’s control. 
Our attacks are quite relevant to this case. 

After introducing our two attacks, we discuss related work in Section 0] We 
present some thoughts on a new notion of security in Section 0 We conclude in 
Section 0 

2 Distinguishers for Reduced AES 

In this section we present known-key distinguishers for AES 0 reduced to seven 
(out of ten) rounds. We shall use the so-called integrals 0 to do so. 

AES is an iterated cipher where in each iteration the subfunctions SubBytes, 
ShiftRows, MixColumns, and AddRoundKey are employed, except for the last 
iteration where the function MixColumns is omitted. The reason for this is that 
it allows the decryption routine to be implemented in a similar style to the 
encryption routine. 

Consider a collection of 256 texts, which have different values in one byte 
and equal values in each of the remaining fifteen bytes. It is well-known that 
after two rounds of encryption the texts take all 256 values in each of the sixteen 
bytes, and that after three rounds of encryption the sum of the 256 bytes in each 
position is zero 0 . Such a structure of 256 texts is called a 3-round integral. 

2.1 Notation 

We introduce some notation for integrals on AES. An integral with the terms A 
is a collection of 2 8 * texts. Writing Aj in a byte position means that in the integral 
the (string) concatenation of all bytes with subscript j take all 2 8 * 8Tbit values 
exactly once. A 1 means that in the integral the particular byte is balanced, that 
is, it takes all values exactly 2 8 ^ -1 ^ times. C means that the values in the partic- 
ular byte are constant, and S means for the particular byte the sum of all texts 
can be determined. For AES addition is defined by the exclusive-or operation. 
The special last round of AES in integral attacks has an interesting property, 
namely that the balance property of an integral is preserved through this round. 

2.2 Integrals for AES 

It is known that there is a 3-round integral for AES using 2 32 texts |4I5| . The main 
observation is that one can choose 2 32 plaintexts as a collection of 2 24 2-round 
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Fig. 1. An integral for 4-round AES with 2 32 texts. The fourth round is a special round 
without MixColumns. 


At 

c 

c 

C 

C 

At 

c 

c 

C 

c 

At 

c 

c 

c 

C 

At 


Af 

Af 

Af\Af 


At 

At 

Afp! 


At 

Af 

Af\At 


At 

At 

At\At 







At 

C\C 

C 


At 

c\c 

C 


At 

c\c 

C 


At 

c\c 

C 


Fig. 2. A backwards integral for three (full) rounds of AES with 2 32 texts 

integrals described above (starting from the second round) each with 2 8 texts. 
Since the texts in each of these 2-round integrals take all values equally many 
times in any byte position after the third round, so does the set of all 2 32 texts. 

If we consider AES reduced to four rounds, that is, where the last round is of 
the special form described above, then one gets that all bytes of the ciphertexts 
are balanced in the 4-round integral. Figure G] depicts this 4-round integral. Not 
surprisingly, one can also define integrals through the inverse cipher of AES. We 
present a backwards integral for three (full) rounds of AES in Figure |3 (Note 
the backward integral extended to four rounds does not preserve the balance 
property nor is it obvious to determine the sum of the texts). 

The forward and backward integrals can be combined to integrals over more 
than four rounds of AES. One chooses a structure of 2 56 texts which differ in 
seven bytes and which have constant values in the remaining nine bytes. One can 
view this as a collection of 2 24 copies of the forward integral for 4-round AES, 
but also one can view this as a collection of 2 24 copies of the backwards 3-round 
integral. Therefore, when one starts in the middle of the cipher one computes 
forwards and backwards for the two integrals. Next we show how to employ our 
findings in known-key distinguishers for AES reduced to seven rounds. 

2.3 Known-Key Distinguishers for AES Reduced to Seven Rounds 

Consider a variant of AES reduced to seven rounds, where MixColumns is omit- 
ted in the last round. Here one can specify the integral of Figure 0 which can 
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Fig. 3. An integral for 7-round AES with 2 56 texts. The seventh round is a special 
round without MixColumns. 


be used in an known-key distinguisher. This is constructed from the four-round 
integral in Figure [D and the three-round integral of Figure El 

The known-key distinguisher simply records the frequencies in each byte of 
the plaintexts and ciphertexts, checks whether the values in each byte of the 
plaintexts and in each byte of the ciphertexts occur equally often. The time 
complexity is similar to the time it takes to do 2 56 7-round AES encryptions and 
the memory needed is small. 

The big question is of course, what the complexity is to find a similar struc- 
ture for any 128-bit permutation. The only approach we know of, which comes 
close to an answer to this is the approach to solve the fc-sum problem HD, 
Given a function f on n bits, the fc-sum problem is to find x \ , . . . , Xk such that 
Ei=i f( x i) = 0. A solution to this problem is given in m with a running time 
of 0(fc2 n /( 1+log2 *0). I n our case n = 128 and fc = 2 56 indicating a running time 
of 2 58 operations. However this is a very inaccurate estimation of the complexity 
we are looking for: the complexity estimate above is in the big O notation, thus 
ignoring smaller constants, the approach requires memory (more than for the 
AES distinguisher), but much more important, the fc-sum problem does not give 
us the structure that we get for reduced AES, merely a collection of texts whose 
sum through the function / is zero with no conditions of balance on the values 
of Xi and f(xi). On the other hand, not much research has gone into finding 
efficient solutions for this problem. Nevertheless, we feel confident to conjecture 
that for a randomly chosen 128-bit permutation finding a collection of 2 56 texts 
in similar time, using similar (little) memory and with similar properties as in 
the case of 7-round AES has a probability of succeeding which is very close to 
zero. Thus, we make the following claim. 

Conjecture 1. There is a known- key distinguisher for AES reduced to seven 
rounds which uses 2 56 texts. 

We note that the above integrals might exist for a randomly chosen permutation 
but they are hard to find. The point we are making is that for the AES variants 
one finds the texts in the integrals much faster than for a randomly chosen 
permutation. 

3 Distinguisher for a 7-Round Feistel Cipher 

We present here a known-key distinguisher on an n-bit Feistel cipher with 7 
rounds. The attack requires that the round function of the Feistel cipher consists 
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of an XOR of the round key to the round function input, followed by an arbitrary 
key-independent transformation. An example of a Feistel cipher with such a 
round function is SEED [H|, but note that SEED has 16, rather than 7, rounds. 

3.1 Description 

The distinguisher computes (in constant time) two plaintexts denoted by p = 
( Pl,Pr ) and p = ( Pl,Pr ) which have a special property. Let the corresponding 
ciphertexts be denoted by c = ( cr,cr ) and c = ( cl,cr ), then the following 
equation will hold with probability 1: 

Pr®Pr® cr® c R . = 0. (1) 

Figure El gives the algorithm to compute the plaintexts p and p. Note that the 
algorithm works only if the round keys of the second and sixth rounds are not 
equal. For most key schedules, such an equality happens only for a negligible 
fraction of the keys. 

For two randomly chosen plaintexts, {1} will be satisfied with probability only 
2 - "/ 2 , so we can build a strong distinguisher in this case. Also, since x can be 
chosen arbitrarily one can find many such pairs, thereby increasing the advantage 
of the distinguisher. 

3.2 Conditions on the Round Function / 

If / is a bijection which is easy to invert, the computations of the pair of plain- 
texts is straightforward. Also, note that the subkeys can be independent or 


The round function of the Feistel cipher, denoted by /. 

The seven subkeys ki,...,kr, with kz ^ k&. 

Algorithm: 


1. Choose an arbitrary value for x. 

2. Define the values 7, a, z as: 


7 = k2 © k6 
« = i©/- 1 (/(*)© 7) 
z = f 3 ® k 5 ® a) 


3. Compute 


p = (z ® f(x) ® ki ® f{pR, ki), x ® k 3 ffi }{z ® f(x) ffi ki ® fc 2 )) 
p = (z ® f{x) ® 7 ® Zs 4 ® f{pR , ki), x ® a ® k 3 ffi f(z ffi f(x) ffi k& ffi k±)). 

It follows that pr ffi cr = a ffi &3 ffi ks = f(z ) = 
Consequently, pr ffi Pr ffi cr ffi cr = 0. 

Pr © cr, see Figure 0 


Fig. 4. Algorithm to compute the plaintexts p, p satisfying (HJ 
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PL 


f{x) © ki © f(p R © k i) 


PR = x © k 3 © f[z © f(x) © © k4) 



Fig. 5. First encryption in 7-round Feistel cipher distinguisher. The second encryption 
is where x is replaced by a; © a and where f(x) is replaced by f(x) © 7 . Notation: 
7 = k 2 © fee; a = a: © /^(/(x) © 7 )', z = f~\k 3 © k 5 © a). 


computed in a key-schedule, the only requirement we make above is that & 2©&6 / 
0. If / is not bijective, the method might still work, if inverting / is not too 
costly. One example is DES where given f(w) is it relatively easy to find w', 
such f(w) = 

There is a variant of this attack which works for 7 rounds of Feistel ciphers 
where / is not bijective and where the following tasks should be “easy”: 

1. Find x, y, a 7 ^ 0 such that f(x) = f(x ® a) = y, 

2. Find £ such that f(z) = fcs CD £, 5 . 

If one accomplishes these two tasks then one finds a pair of plaintexts such that 
(HJ is satisfied. We omit the details here and refer to Appendix El 
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3.3 Impact 

To illustrate where the above findings could be exploited in practice consider the 
Matyas-Meyer-Oseas hashing mode, where the compression function is defined as 

h{hi-\,rrii) = F fc i _ 1 (mj) ® m*. 

If F is a 7-round Feistel cipher construction where / is bijective, then one finds 
a pair of blocks which collide in half of the bits in the outputs of h doing only 
two encryptions. 

4 Related Work 

Distinguishing attacks on block ciphers where the key is known were introduced 
in j3J under the name correlation intractability. It was shown that no block ci- 
pher can be secure under this notion of security: for every block cipher, there 
exists a relation such that given the key, it is easy to find plaintext/ciphertext 
pairs satisfying this relation, but it is difficult to find them for a random per- 
mutation. The result is based on the observation that all implementable block 
ciphers (must) have a description, whereas a random oracle doesn’t. The rela- 
tion is constructed by putting the description of the block cipher in the plain- 
texts. 

It can be argued however, that the relation of j3j is contrived. It is not clear 
at all how or whether such relation may lead to weaknesses in “reasonable” 
block-cipher based designs. Secondly, the relation is not interesting from a block 
cipher designer’s point of view, because it applies to all implementable block 
ciphers. Hence, it gives no guidance on how to construct block ciphers that 
can be used for instance in block-cipher based hash function constructions, or 
in any other application where the key is known to the attacker or under her 
control. 

5 Discussion of Known-Key Attacks 

The discussion in the previous section suggests there might be a need for a new 
notion of security, under which the attacks presented in Section 0 and Section 0 
count as valid attacks, but the general result of 0 doesn’t. Indeed, the foremost 
idea in our mind, is to evaluate the security of specific, implementable block 
cipher designs and their suitability for applications which commonly use block 
ciphers as an underlying component. 

However, it appears to be non-trivial to formalize a notion of security and at 
the same time avoid trivial attacks. A bullet-proof model is likely to be compli- 
cated and little transparent. Therefore, we present here some intuitions on what 
we think are essential elements of such a new notion of security. The introduction 
of the notion itself remains an open problem. 
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5.1 Intuitions for the Basic (Known-Key) Scenario 

In this scenario, we would measure the security of the cipher against known-key 
attacks by computing the average advantage over all values of the key k. 

A possible way to reduce the number of parasitical attacks in an informal 
model, would be to make the following thought exercise. Whenever we do a 
known- key analysis of one specific block cipher, we would rule out attacks which 
will succeed with approximately the same work effort on any block cipher. Hence 
such attacks would not change the relative ranking of the block ciphers we would 
examine. 

5.2 Intuitions for Extended Scenarios 

In a so-called weak key scenario, the attacker would know that the key would 
come out of a pre-specified subset of the whole key space. Such a scenario could 
reveal weak keys. 

In a related-key scenario, we would consider scenarios where the attacker is 
given several different keys ki which could have a known relation to one an- 
other. By loosening the relation between the fc,s, we would eventually measure 
how well the block cipher would resemble a set of randomly selected permuta- 
tions. 

The above extensions can be illustrated using the block cipher DES. The 
differential attack on DES j2] uses a 13-round characteristic of average probabil- 
ity 2 -47 , built from iterating a two-round characteristic of average probability 
1/234. However it is well-known that the exact probability for two rounds is 
either 1/146 or 1/585 depending on the value of one key bit. Thus by restricting 
ourselves to the subset of keys which provide the highest probabilities better re- 
sults would be achieved. Also, if y = DESk{x) then it holds that DES-^(x) = y 
where z is the bitwise complemented value of z. This means that for a pair of 
keys (fci,^), where k\ is the bitwise complemented value of k -2 it is easy to 
distinguish the induced encryption functions from two randomly chosen permu- 
tations. 

6 Conclusion 

In this paper we presented two distinguishers for block ciphers, where the at- 
tacker is given the key. Although j3j already presented very strong results in this 
model, we tried to show that our attacks are still interesting from a practical 
security point of view, in particular when one considers block cipher applica- 
tions where the key is indeed known to the attacker, e.g. block-cipher based 
hash functions. 

Subsequently we argued that a suitable notion of security is still missing in 
the cryptographic literature and we presented some intuitions on how such a 
new notion could look like. 
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A Variant Attack on a 7-Round Feistel Cipher 

We present here a variant on the statistical distinguisher presented in Sectional 
It works only if the following conditions are met. 

1. The round function / must map at least two inputs, denoted by x,x + a, 
to the same output, denoted by y. It must be possible for the attacker to 
determine x, y and a. 

2. For most outputs, it must be easy to construct an input mapping to that 
output. 

The distinguisher can be seen as an extension of the 5-round impossible differ- 
ential presented in |0j. The transcript consists now of the plaintexts ( Pl,Pr ), 
(Pl,Pr) with 

Pl 
PR 
Pl 
Pr 

and the corresponding ciphertexts. Here z is defined by f(z) = fcs © fc 5 . We 
discuss below what to do if no such z exists. The test is again: verify whether 


= z ® y ® ki ® f(x ® k 3 ® f(z ® y ® k± ® fc 2 ) ® fci), 

= x ® k 3 ® f(z ®y®k^® k 2 ), 

= £ ® y ® fei ® f(x ® a ® k 3 ® f(z ®y®k 4 ,®k 2 )® ki), 


Pr+Pr = CR + Cr. 


(2) 
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If it is not possible to find a 2 such that f(z ) = £3 ® k$, then we can search for 
a z' such that f(z') = fc.3 ® ks 8 a. We can then construct a plaintext pair such 
that in the first text the inputs to / in round three and five are x, respectively 
x ® a, and in the second pair x ® a, respectively x. This pair will also satisfy 
Finally, if also this is not possible, there might be another difference a that 
can be used. 
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Abstract. Unbalanced Feistel schemes with expanding functions are 
used to construct pseudo-random permutations from kn bits to kn bits 
by using random functions from n bits to ( k — 1 )n bits. At each round, 
all the bits except n bits are changed by using a function that depends 
only on these n bits. Jutla |01 investigated such schemes, which he de- 
notes by Ffc , where d is the number of rounds. In this paper, we describe 
novel Known Plaintext Attacks (KPA) and Non- Adaptive Chosen Plain- 
text Attacks (CPA-1) against these schemes. With these attacks we will 
often be able to improve the results of Jutla. 

Keywords: Unbalanced Feistel permutations, pseudo-random permuta- 
tions, generic attacks on encryption schemes, Block ciphers. 


1 Introduction 

A Feistel scheme from {0, 1} ; to {0, 1} ( with d rounds is a permutation built from 
round functions fi, ■■■, fa- When these round functions are randomly chosen, we 
obtain what is called a “Random Feistel Scheme” . The attacks on these “random 
Feistel schemes” are called “generic attacks” since these attacks are valid for most 
of the round functions fi, . . . , f r j. 

When l = 2 n and when the fi functions are from {0, 1}" to {0, 1}" we obtain 
the most classical Feistel schemes, also called “balanced” Feistel schemes. Since 
the famous paper of Luby and Rackoff fi Of . many results have been obtained on 
the security of such classical Feistel schemes (see HH for an overview of these 
results). When the number of rounds is lower than 5, we know attacks with less 
than 2 l (= 2 2 ") operations: for 5 rounds, an attack in 0(2") operations is given in 
in and for 3 or 4 rounds an attack in y/2" is given in era- When the functions 
are permutations, similar attacks for 5 rounds are given in EDI- Therefore, for 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 325-|34ll 2007. 
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security, at least 6 rounds are recommended, i.e. each bit will be changed at least 
3 times. 

When l = kn and when the round functions are from ( k — l)n bits to n 
bits, we obtain what is called an “Unbalanced Feistel Scheme with contracting 
functions”. In IQ some security proofs are given for such schemes when for 
the first and the last rounds pairwise independent functions are used instead of 
random contracting functions. At Asiacrypt 2006 ra generic attacks on such 
schemes have been studied. 

When l = kn and when the rounds functions are from n bits to (k — 1 )n 
bits, we obtain what is called an “Unbalanced Feistel Scheme with expanding 
functions” , also called “complete target heavy unbalanced Feistel networks” . 
Generic attacks on Unbalanced Feistel Schemes with expanding functions is the 
theme of this paper. One advantage of these schemes is that it requires much 
less memory to store a random function of n bits to ( k — 1 )n bits than a random 
function of ( k — l)n bits to n bits. BEAR and LION j5| are two block ciphers 
which employ both expanding and contracting unbalanced Feistel networks. The 
AES-candidate MARS is also using a similar structure. 

Attacks on Unbalanced Feistel Schemes with expanding functions have been 
previously studied by Jutla [S|. We will often be able to improve his attacks 
by attacking more rounds, or by using a smaller complexity. Moreover we will 
generalize these attacks by analyzing KPA (Known Plaintext Attacks), not only 
CPA-1 (non adaptive plaintext attacks) and by giving explicit formulas for the 
complexities. We will not introduce adaptive attacks, or chosen plaintext and 
chosen ciphertext attacks, since we have not found anything significantly better 
than CPA-1. 

The paper is organized as follows. First, we give our notation. Then we de- 
scribe the different families of attacks we have studied. We will have three families 
of attacks called “2-point attacks” (TWO), “rectangle attacks” (SQUARE, Rl, 
R2, R3, R4) and “Multi-Rectangle attacks”. In this paper, we will study in detail 
TWO and rectangle attacks, but we will give only a few comment on “Multi- 
Rectangle attacks” (Multi- Rectangle attacks are still under investigation). It can 
be noticed that k = 2 is very different from k> 3. 

2 Notation 

Our notation is very similar to m- An unbalanced Feistel scheme with ex- 
panding functions F{!' is a Feistel scheme with d rounds. At each round j, we 
denote by fj the round function from n bits to (k — l)n bits, fj is defined as 
fj = where each function is defined from {0,1}" 

to {0,1}". On some input [I 1 , 1 2 , . . . ,I k ] F% produces an output denoted by 
[S 1 , S 2 , . . . , S k ] by going through d rounds. At round j, the first n bits of the 
round entry are used as an input to the round function fj, which produces 
( k — l)n bits. Those bits are xored to the (k — l)n last bits of the round en- 
try and the result is rotated by n bits. We introduce the internal variable X 3 : it 
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is the n-bit value produced by round j, which will be the input of next round 
function fj+i- For example, we have: 

X 1 = / 2 ®/ 1 (1) (/ 1 ) 

x 2 = i 3 ® /fV 1 ) ® f£\x l ) 

X 3 = 7 4 © /fV 1 ) ® fP(X^) ® tf\x 2 ) 


The first round is represented on Figure 1 below: 

Jl J2 /3 jk 



X 1 = I 2 © /W (I 1 ) I 3 © fP (I 1 ) I k ffi (J 1 ) I 1 

Fig. 1. First Round of F* 

After d rounds (d > k + 1), the output [S' 1 , S' 2 , ... , S k ] can be expressed by 
using the introduced values X :h . 

S k _ X d - 1 

s fc_1 = x d ~ 2 © 

s fc - 2 = X d - 3 © f ( t l 1 \x d - 2 ) © f ( d k - 2 \x d - 1 ) 


3 Overview of the Attacks 

We investigated several attacks allowing to distinguish F d from a random per- 
mutation. Depending on the values of k and d some attacks are more efficient 
than others. All our attacks are using sets of plaintext /cipher text pairs : the sets 
can be simply couples (for attack TWO) or a rectangle structure with either four 
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plaintext/ciphertext pairs (attack SQUARE) or more (attacks Rl, R2, R3, and 
R4). Depending on the number of rounds, it is possible to find some relations 
between the input variables and output variables of the pairs of a set. Those 
relations can appear at random or due to equalities of some internal variables 
due to the structure of the Feistel scheme. 

The TWO attack consists in using m plaintext /ciphertexts pairs and in count- 
ing the number A f F d of couples of these pairs that satisfy the relations between 
the input and output variables. We then compare A/j F d with A f per m where A f pe rm 
is the number of couples of pairs for a random permutation instead of Fjf. The 
attack is successful, i.e. we are able to distinguish F£ from a random permutation 
if the difference \E(Af F d) — E(Af perm )\ is much larger than the standard deviation 
Cperm and than the standard deviation a F d, where E denotes the expectancy 
function. In order to compute these values, we need to take into account the fact 
that the structures obtained from the m plaintext/ciphertext tuples are not in- 
dependent. However their mutual dependence is very small. To compute cr perm 
and a F d , we will use this well-known formula as in ra that we will call the 
“Covariance Formula” : 

nE = E v ( x *) + E i E ^ *i) - £(x*)£(^tj 

where the Xi are random variables. 

In the attacks Rl, R2, R3, and R4, we use a rectangle structure: we consider 
ip plaintext/ciphertext pairs where ip is an even number and is the total number 
of indexes of the rectangle. We will fix some conditions on the inputs of the ip 
pairs. On the case of Fj}, those conditions will turn into conditions on the internal 
state variables X : ‘ due to the structure of the Feistel scheme. These conditions 
will imply equations on the outputs. On the case of a random permutation, 
equations on the outputs will only appear at random. By counting the sets of ip 
pairs satisfying the conditions on inputs and outputs, we can distinguish between 
F{! and a random permutation, since in the case of F£ the equations on the 
outputs appear not only at random, but a part of them is due to the conditions 
we set. However, those attacks are not always able to distinguish between F$ 
and a random permutation, since it requires some internal collision to appear 
in the structure of the Feistel scheme. For some instances of Fjf the desired 
collision will not exist and the attacks will fail. There exists a probability e which 
is a strictly positive constant independent of n such that rectangle structures 
appear for Ftf. How to compute this probability can be found in the extended 
version. Consequently, in order to verify that we are able to distinguish between 
the family of F^ permutations and the family of random permutations, we can 
apply our attacks on several randomly chosen instances of Fg or of random 
permutation, count the number of instances were the attack is working and 
compare this number for F^ and for a random permutation. Attacks Rl, R2, 
R3, and R4 all share this principle but the conditions imposed on the plaintexts 
and ciphertexts are different. 

The SQUARE attack is a special case of attack Rl, when ip = 4. In the next 
sections, we will give more precise definitions of these attacks and examples for 
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attack TWO and attack Rl. Finally we will consider attacks with more than 2 kn 
computations, i.e. attacks against generators of pseudo-random permutations. 
All the results are summarized in Section El 

For a fixed value of k, attack TWO is very efficient for small values of d. When 
d increases, first SQUARE, which is a variant of Rl, then Rl will become the 
best known attack. Then, when d increases again, R2, R3 or R4 will become the 
best known attack. Finally, for very large d, TWO will become again the best 
known attack. 


4 Attack “TWO” 

In this section, we describe a family of attacks called “TWO”. These attacks will 
use correlations on pairs of plaintext /ciphertext. Therefore, they can be called 
“2-point” attacks. When k = 2 i.e. on classical balanced Feistel Schemes, these 
attacks give the best known generic attacks H3 However these attacks have not 
been studied in |HJ. As we will see, TWO attacks are sometimes more efficient 
than the attacks of [§| for example when the number of rounds is very small. 

The principle of attack TWO is to concentrate on one of the equations linking 
an output word S'* with some of the internal variables X 1 . By fixing the first 
n-bit blocks of the input I we fix the value of some of the internal variables 
and a simple equality between the remaining input blocks and the output word 
becomes true assuming that a collision on some of the internal variable occurs. 
If the number of plaintext/ciphertext pairs is sufficiently large, this collision will 
appear and the attack succeeds. 

In order to illustrate attack TWO, we now present the attack against Fj*, 
k + 2<d<2k — 1. We will concentrate the attack on the equation: 

g 2k-d _ x k-i 0 0 fj;l k 1 ~ i ~ 1 \ X i ) 

i=k 

The i-th pair is denoted by [I 1 (i) , I 2 (i) , . . . , I k (i)\ for the plaintext and by 
[S 1 (i) , S 2 (i ), . . . , S fc (*)] for the ciphertext. We will count the number J\f of (i,j) 
such that I\i) = = / 2 (j),...,I fc - 1 (i) = I k ~ 1 (j),S k (i) = S k (j), 

S k ~\i) = 5 fe - 1 (i),...,5 2fc - d+1 (i) = S 2k ~ d+1 (j) and S 2k ~ d {i) ® S 2k ~ d {j) = 
I k (i) ® I k (j)- For Fjf, this last equation is a consequence of the other equations, 
i.e. of these k — 1 equations in I and d — k equations in S. Therefore, the attack 
will succeed in KPA when m 2 > 2^ d ~^ n , i.e. when m > 2 _ 2 _ ". In CPA-1, we 
will fix I 1 , 1 2 , . . . , I k to some values, and we will do this a times. The attack will 
succeed with a = 2^ d ~ k ~ 2 "> n and the complexity in CPA-1 is a ■ 2 n = 2^ d - k ~ r > n . 

5 “Rl” Attack 
5.1 Definition of Rl 

We now give a definition of attack Rl. Let us consider ip plaintext /ciphertext 
pairs. We first set the following conditions on the input variables: 
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/ 1\ 1) = I\ 2), I 1 (3) = I 1 (4), I\ 5) = I\ 6), . . . , 7% - 1) = 

1 J _ \ Vi, 2 < i < fc, i*(l) © P( 2) = 7^(3) 0 i*(4) = . . . = Z% - 1) © Z*(v) 

Conditions on the first block 7 1 are here to cancel the impact of function fy, 
while conditions on other blocks are used to obtain differential equations on the 
internal state variables. These equations will then propagate to other rounds 
with some probability until they turn to equations on the outputs, which then 
can be detected. 

In order for the previous conditions to propagate with high probability, we 
need some extra conditions on the internal state variables. We have d— 2 internal 
state variables X 1 , X 2 , . . . , X d ~ 2 and X d ~ l = S k is an output variable. 

Let a be an integer, 1 < a < d— 1. We will choose a values of {1, 2, . . . , d— k}. 
Let £ be the set of these a values, and let T be the set of all integers i, 1 < i < 
d— 1 such that i £ £. We have \£\ = a and |F| = d — a - 1. Let (X) be the set 
of the following equalities: 


(W) = 


f Vi e £, X/(l) = X/(3) = ... = X l (tp - 1) 
\Vie F, X i (l) = X i (2) 


Between two different plaintext /ciphertext pairs i and j, i ^ j, we can have at 
most k— 1 successive equalities on the variables I 1 , X 1 , X 2 , . . . , X d ~ l . Otherwise 
from k successive equalities we would get I l {i) = Z x (j), Z 2 (i) = 7 2 (j), . . . , I k (i) = 
so the two messages would be the same. Therefore we must have: [_fj < 
a < d — 1 — L^J • For the same reason we must have {d — k) G £ since d — 1, 
d — 2, . . ., d — k + 1 are in T. 

From the conditions (Z) and (X) and considering the equalities that we can 
derive from them with probability one, we will have: 

_ / v b 2 < * < k, S*(l) = 5<(2), S*(3) = S*(4), . . . S*(p - 1) = 5*^3 
\ ^(1) © S 1 ( 2) = S x (3) ® 5 X (4) = ■ • • = - 1) © 

Consequently the conditions ( S ) can appear by chance, or due to the condi- 
tions (X). 

Our KPA attack consists in counting the number N of rectangle sets of plain- 
text/ciphertext pairs satisfying the conditions (Z) and (S'). The obtained num- 
ber can be divided into two parts: either the conditions (Z) and (S) appear 
completely at random, or conditions (Z) appear and conditions (S) are satisfied 
because (X) happened. 

Figure 2 illustrates one rectangle set of our attack. Plaintext /ciphertext pairs 
are denoted by 1,2, . . . , tp. Two points are joined by an edge if the values are 
equal (for example Z 1 (l) = Z 1 (2)). We draw a solid edge if the equality appears 
with probability t/t and a dotted line if the equality follows conditionally with 
probability 1 from other imposed equalities. 


5.2 “Rl” Attack on Fj 

Before studying the general properties of Rl, we will illustrate this attack with 
an example. We will now describe our “Rl” attack on Fj . As we will see, we 


Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions 


331 


1 x\ie£ 3 x*,i e£ 


x\ieF i 1 


7 ; 

i 1 


Fig. 2. Attack R1 on Fg 

will obtain here a complexity in 0( 2 2n ) in CPA-1 and in 0(2^) in KPA. This 
is better than the 0(2 3n ) of the TWO attacks. In p. Jutla shows that he can 
obtain on Ftf attacks with complexity less than 0(2 kn ) when d < 3k — 3. For 
d = 3, this gives attacks up to only 6 rounds, unlike here where we will reach 7 
rounds with the complexity less than 2 3n . We have 7^(7, 7, 7] = [S 1 , S' 2 , S' 3 ]. 

Let *i, «2, *3, ii, *5, id be six indexes of messages (so these values are between 
1 and m). We will denote by [I 1 {a), I 2 {a), I 3 (a)] the plaintext of message i a , 
and by [S' 1 (a), S' 2 (a), S 3 (a) ] the ciphertext of message i a . (i.e. for simplicity we 
use the notation 7(a) and S 1 (a) instead of / 1 (* a ) and S 1 (i a ), 1 < a < 6). The 
idea of the attack is to count the number Af of indexes (*i , i-i- is, U, *5- ie) such 
that: 

' I^i) = 7(2) and 7(3) = I 1 (A) and 7(6} = 7(6) 

7(l)®/ 2 (2) = 7(3)® 7(4) = 7(5)® 7(6) 

7(l)®/ 3 (2) = 7(3)® 7(4) = 7(5)® 7(6) 

< and 

S 3 (l) = S 3 (2) and S 3 (3) = S 3 (4) and S 3 (5) = S 3 (6) 

S 2 (l) = S 2 (2) and S 2 (3) = S 2 (4) and S 2 (5) = S 2 (6) 
k S 1 (l)®S 1 (2) = S 1 (3)®S 1 (4) = S 1 (5)®S 1 (6) 

We will call the 7 first equations the “input equations” and we will call the 8 
last equations the “output equations”. 

KPA. If the messages are randomly chosen, for a random permutation we will 
have E (Af perm ) ~ For a Fj permutation we will have about 2 times more 
solutions since the 8 output equations can occur at random, or due to the fol- 
lowing 8 internal equations: 

I W 1 (1)=X 1 (3) = X 1 (5) 

X 2 (l) = X 2 (2) 

X 3 (l) = X 3 (2) 

X 4 (l) = X 4 (3) = X 4 (5) 

X 5 (l) = X 5 (2) 

X 6 (l) = X 6 (2) 
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We get the following conditions on the internal variables: 

1 X 2 (1) = X 2 (2) gives X 2 (3) = X 2 (4) andX 2 (5) = X 2 (6) 

X 3 (l) = X 3 (2) gives X s (3) = X 2 (4) andX 3 (5) = X 3 (6) 

X 4 (l) = X 4 (3) = X 4 (5) gives X 4 (2) = X 4 (4) = X 4 (6) 

X 5 (l) =X 5 (2) gives X 5 (3) =X 5 (4)andX 5 (5) = X 5 (6) 

X 6 (l) = X 6 (2) gives X 6 (3) = X 6 (4) andX 6 (5) = X 6 (6) 

Now since S 3 = X 6 , S 2 = X 5 © /f } (X 6 ) and S 1 = X 4 © /f } (X 5 ) ® /W(X 6 ), 
we get the 8 output equations written above. Therefore, in KPA, for a F.J per- 
mutation, the expectancy of Af F 7 is larger than for a random permutation by a 
value of about (since we have 8 equations in X and 7 in 7), i.e. we expect 
to have about 2 times more solutions for Af: E(Af) ~ |^r for Fj . So we will be 
able to distinguish with a high probability F-J from a random permutation by 
counting Af when / 0 with a high probability, i.e. when m 6 > 0(2 15n ), or 
m > 0(2^). We have found here a KPA with 0(2^) complexity and 0(2^) 
messages. This is better than the 0(2 3 ") complexity of the attack TWO, and it 
shows that we can attack 7 rounds, not only 6 with a complexity less than 2 3 ". 

CPA-1. We can transform this KPA in CPA-1. We will choose only 3 fixed 
different values ci, C2, C3 for I 1 : y plaintexts will have I 1 = ci, y plaintexts will 
have I 1 = C 2 , and y plaintexts will have I 1 = C3. We will generate all (or almost 
all) possible messages [I 1 ,/ 2 ,/ 3 ] with such I 1 . Therefore, m = 3 • 2 2 ”. We can 
derive from these m messages yy- tuples (*i , *2, *3, H, hi h) satisfying our 7 input 
equations. For a random permutation we will have E(Af per m) — (since we 

have 8 output equations). For a permutation F 3 7 , we will have E(Afpr) — 2 4 ™ 8n , 
i.e. about 2 times more solutions, since the 8 output equations can occur at 
random, or due to 8 internal equations in X as we have seen. So this CPA- 
1 will succeed when Af 7^ 0 with a high probability, i.e. when to 4 > 0(2 8 "), 
or m > 0(2 2 ”). Here we have m ~ 3 • 2 2 ", the probability of success is not 
negligible. Moreover if it fails for some values (ci, 02,03) for I 1 , we can start 
again with another (01,02,03). Therefore this CPA-1 is in 0(2 2 ") complexity 
and 0(2 2 ”) messages. (This is better than the 0( 2 3 ") we have found with the 
TWO attack). 

5.3 Properties of R1 

We now describe the general properties of Rl. We will denote by n/ the number 
of equalities in (J), and by ns the number of equalities in (S'). Similarly, we will 
denote by nx the number of equalities in (X). Therefore rix is the number of 
independent equalities in the X 1 variables needed in order to get (S) from (7) 
(in the previous example presented in Section 5.2, we have ni = 7, ns = 8 and 
rix = 8). In this attack Rl we have: 

f m = — k + 1 

\ ng m f - 1 

(n x = a( f - 2) + d- 1 
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The idea of R1 is to minimize the total number m + rix of needed equations in 
J and X. When this criteria is dominant, R1 will be the best attack. 

The value J\f is expected to be larger for a F d than for a random permutation 
due to the fact that (S) can come from random reasons or from (X) in F d . 
Therefore, it is natural, in order to get necessary and sufficient condition of 
success for Rl, to evaluate the expectancy and the standard deviation of Af in 
the case of F d and in the case of random permutations. This can be done (by 
using the covariance formula as in ca or by using approximation as in j0|) and 
we have found that each time that Rl was better than TWO, we had rix < ns- 
However, when nx < ns we can easily obtain sufficient condition of success 
for Rl without computing the standard deviations, since when nx < ns we will 
have for most permutations about 2 times more (or more) solutions with F d than 
with this random permutation. Therefore, a sufficient condition of success for Rl 
when nx < ns is to have that (X) and (I) can be satisfied with a non-negligible 
probability. A sufficient condition for this is to have: 

In KPA 

Condition 1: nx < ns- 

Condition 2: rrr p > 2 n ( ni+nx \ 

Condition 3: m 2 > 2< d ~ a '> n . 

Condition 4: m 3 > 2 dn and more generally V*, 0 < i < j - 1 . m 3+l > 2^+“)”. 

Condition 5: m 4 5 > 2^ d+k)n . 

(Conditions 2, 3, 4, 5 are necessary. Conditions 1, 2, 3, 4, 5 are sufficient for 
success. Condition 1 is not necessary, but the computation of a(Af) shows that 
Rl is not better than TWO when nx > ns-) 

Condition 2 comes from the fact that we have about m v rectangles with ip 
points, and the probability that (J) and ( X ) are satisfied on one rectangle is 

Condition 3 comes from the fact that between points 1 and 2 we have \F\ 
equations in X 1 , and one equation in J 1 . Therefore in KPA we must have to 2 > 

2 (|^|+l)n = 2 (d-a)n 

Condition 4 comes from the fact that between points 1, 2 and 3 we have 
d — 1 equations in X\ and one equation in J 1 . Therefore we must have m 3 > 

2 dn . Similarly between the points 1, 2, 3, 5, we must have: m 4 > 2 l ' d+a ' in . And 
similarly between the points 1, 2, 3, 5, 7, . . ., (<p — 1), we must have: m^ +1 > 
2 (d+a($-2))n 

Condition 5 comes from the fact that between points 1, 2, 3, 4, we have d - 1 
equations in X *, 2 equations in J 1 and ( k — 1) in J 2 , J 3 , . . ., I k ~ [ . 

It is easy to see that the conditions on any points are consequences of these 

5 conditions. Moreover, if m > 2 an (we will often, but not always, choose a like 
this), condition 4 can be changed with only to 3 > 2 dn . 

CPA-1. In CPA-1 the sufficient conditions when m < 2( fc_1 ) n are: 

Condition 1: nx < ns- 

Condition 2: m^ +1 ) > 2 n nx . 
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Condition 3: m 2 > 2^ d ~ a - 1 '> n . 

Condition 4 and Condition 5: m 3 > 2^ d ~ 1 P. 

From these conditions we can compute the best parameters a and ip for any 
d and k, when d and k are fixed. 

Remark. If we choose nx < ns (instead of rix < ns), the attacks are slightly 
less efficient but more spectacular since with a non-negligible probability (/) 
and (S) are satisfied with F d and not with random permutations. Moreover 
with nx < ns it is still possible (with R2) to attack 3k — 1 rounds with less than 
2 kn complexity. 

6 “R2”, “R3”, “R4” Attacks for Any k > 3 with d > k 

R2, R3, and R4 attacks are very similar to attack R1 but the conditions on the 
variables are not the same. 

6.1 R2 Attacks 

In the R2 attack, we will choose a values of {1, 2, . . . , d — k}. Let £ be the set 
of these a values, and let T be the set of all integers i,l<i<d—l such that 
i ^ £. We have \£\ = a, \F\ = d — a — 1, and T contains all the k — 1 values i, 
d— k+l<i<d — 1. For R2 we have: 

f7 1 (l) = / 1 (3)=/ 1 (5) = ... = J 1 (^-l) 

(/) = {P(2) = P(4) = P(6) = ... = P(<p) 

[ Vi, 2 < i < k, P( 1) © P{ 2) = P( 3) 0 P( 4) = . . . = 1% - 1) 0 P(<p) 

f yx / V* e £, X^l) = X i (3) = ... = x\p> - 1) 

K ] \Vi6J 7 , X i {l)=X i {2) 

ray _ / Vi, 2 < i < k, S i (l) = 5*( 2), S'* (3) = S*(4), . . . , S*{ V - 1) = S*&) 

- \ S\ 1) 0 S\ 2) = S\3) 0 S\ 4) = . . . = S 1 ^ - 1) 0 &&) 

The equations (A) have been chosen such that (S) is just a consequence 
of (I) and (X). Our attacks consist in counting the number Af of rectangle 
sets of plaintext/ciphertext pairs satisfying the conditions (I) and (S). Figure 3 
illustrates the equations for R2. 

Between two different plaintext/ciphertext pairs i and j, i ^ j, we can have 
at most k—1 successive equalities on the variables P, X 1 , . . ., X d ~ l . Therefore, 
for R2, we have |_ttJ < a < d - 1 — |_f J, and 
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Fig. 3. Attack R2 on F d 


As we have explained for Rl, sufficient conditions of success for R2 in KPA 
are the following 5 conditions: 

Condition 1: nx < ns- 
Condition 2: rn v > 2 n< - ni+nx K 
Condition 3: ra 3 > 2 dn . 

Condition 4: m 2 > 2^- a ~ 1 '> n . 

Condition 5: ra 4 > 2^ d+k '> n . 

Example for R2. In the R2 attack on Ff , we have: ip = 8, a = 2, nj = 12, 
ns = 11 and nx = 11. Details are in the extended version of the paper. 


6.2 R3 Attack 


In the R3 attack, we set the following conditions on the input variables: 


rn _ / ^(i) = m i\ 3) = m 5) = i\ 6 ), . . . 

1 > \Vi, 2<i<fc, P{l)®P{2) = F(3) 0 P(4) = . . 

Then the conditions on the internal variables (with \£\ = 
and \id— k + 2<i<d— 1 then * G F) are: 

(x) = |Vie£, X\l) = X i {2) 


7%-l) = /V) 

. = P(ip-l)®P(ip) 

d — a — 1 and \F\ = a 


Vi g F, JT*( 1 ) = x i (3) = ... = x*fc - 1) 


Finally, the conditions on the output variables are given by: 

f S\ 1) ffi S\ 2) = S 4 (3) © S' 1 (4) = . . . = S\<p - 1) 0 S\ip) 

(q s = J S 2 (l) © 5 2 (2) = S 2 (3) 0 S 2 (4) = . . . = S\p 1) 0 

1 J ] Vi, 3 < i < k, S\l) = 5 4 (3) = 5 4 (5) = . . . = S\ip - 1) 

[ Vi, 3 < i < k, S\ 2) = S 1 (4) = 5 4 (6) = . . . = S \<p) 


Then, the R3 attack proceeds exactly the same as Rl and R2 attacks. 


6.3 R4 Attack 

In the R4 attack, we have the following conditions on the input, internal and 
output variables: 
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f / 1 (1) = / 1 (3)=J 1 (5) = ... = J 1 (^-1) 

(I) = {l\2) = l\4) = P(6) = ... = l\cp) 

[ V*, 2 < i < k, P{ 1) © P (2) = P( 3) 0 P( 4) = ... = - 1) © P(^) 

fVief, x*(i) = jt*(2) 

1 j - \ Vi e F, JW(i) = A* (3) = . . . = X%ip - l) 

(with \£\ = d — a - 1 and |F| = a and if rf — k+3<i<d— 1 then i e F) 

1 ^(1) © S\ 2) = S' 1 (3) © 5 X (4) = . . . = - 1) © S%) 

S 2 ( 1) © S 2 (2) = F 2 (3) © F 2 (4) = . . . = S 2 (<p - 1) © S 2 (<p) 
5 3 (1) © S 3 (2) = S' 3 (3) © S' 3 (4) = . . . = S 3 (<p - 1) © S 3 (<p) 

Vi, 4 < i < k, STi(l) = 5^(3) = &■(&) = ... = S\y - 1) 

Vi, 4 < i < k, S\ 2) = £*(4) = S' 1 (6) = . . . = S 1 ^) 


Example for R4. We will now present how to attack F^ -1 when k > 5 
with a complexity less than 2 kn . This example is interesting since 3k 1 is the 
maximum number of rounds that we can attack with a complexity lower than 
2 kn (for d = 3k the complexity of the best known attacks become 0(2 kn ) and 
for d > 3k + 1 we need more than 0(2 kn ) computations). It is also interesting 
since in Jutla was able to attack only 3k — 3 rounds with a complexity less 
than 2 kn . We will present only the main ideas. We will use the attack R4 with 
a = k — 1. i.e. between 1 and 3 we have these k — 1 equations: X d_1 , X d ~ 2 , . . ., 
X d ~ k + 3 , plus X k and X 2k . 

Remark. With R2 (but not with Rl) we can also attack F^ -1 (with ip = 2k+2 
and a = k — 1) with a complexity less than 2 kn , but the complexity of R4 will 
be slightly better. 

In R4 with a = k — 1 , we have: 

(n/ = ^+ f- fc-l 
< ns = kip — ^ — 2k + 3 
[ nx = !f + d-2k-% + l 

Therefore when d = 3k— 1, we have rix = 4^ + fc— f . nx < ns gives <p > 6+ 

For k > 5, this means ip > 8 (ip is always even). Now if we look at all the 5 
conditions for the complexity, these conditions give: m > 2^ k ~P n in KPA, and 
m > 2 ( - k ~P n in CPA-1. These complexities are less than 2 kn as claimed. 

7 Experimental Results 

We have implemented the CPA-1 attacks SQUARE and Rl against Ff , Ff , and 
Ff . The attack against F 3 6 uses 4 points and 2"? plaintexts, the attack against 
Fj uses 6 points and 2 2n plaintexts, and the attack against Ff uses 8 points and 
2 2 5 " plaintexts. Our experiments confirm our ability to distinguish between Ff 
or Ff or Ff and a random permutation. Our experiments were done as follows: 
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— choose randomly an instance of Ff or Ff or Fi 

— choose randomly a permutation: for this we use classical balanced Feistel 
scheme with a large number of rounds (more than 20) 

— launch the attack in CPA-1 

— count the number of structures satisfying the input and output relations for 
the Ff or Ff or Ff permutation and for the permutation 

— if this number is higher or equal to a fixed threshold (generally 1 or 2), 
declare the function to be a Ff or Ff or Ff permutation and otherwise a 
random permutation 

All these procedures are iterated a large number of time (at least 1000 times) to 
evaluate the effectiveness of our distinguisher. We give the percentage of success, 
i.e. the number of Ff or Ff or Ff that have been correctly distinguished and 
the percentage of false alarm, i.e. the number of random permutation that have 
incorrectly been declared as Ff or Ff or Ff . 

Table 1 . Experimental results for CPA-1 attacks 


scheme i 

1 threshold 

Percentage of success of the attack 

Percentage of false alarm 

F 3 ° 1 

1 2 

54% 

4% 

F 3 f 


33% 

1 % 

Fi e 

5 1 

38% 

1 % 


We give some details in the Ff case: here are the numbers of rectangles sets 
for 100 instances of Ff . 

2, 0,25,1,0,3,1,0,0,0,0,0,1,1,0,1,0,0,2,0,0,1,0,0,0,1,0,1,0,0,12,1,4,1, 

0, 1,4,18,0,1,1,0,0,2,0,0,0,2,0,0,0,0,1,0,0,0,3,0,0,0,0,1,0,1,13,0,1,6,0, 
0,0,33,0,0,0,0,4,0,0,0,0,0,1,0,3,36,1,14,0,1,0,0,0,0,0,0,0,2,0,0 

The corresponding numbers for 100 random permutations are composed of 99 
zero and a single one. This clearly shows that we can distinguish between the 
two cases. 

Our experiments show that the distinguisher on Ff is more efficient than the 
one on Ff and than the one on Ff . But in all case they confirm our ability to 
distinguish. 

8 Attack by the Signature 

It can be proved that all the permutations Ff have an even signature. The 
proof of this result is quite similar to the proof in the case of a symmetric 
Feistel scheme H3I- Therefore, by computing the signature of Ff we are able 
to distinguish Ff from a random permutation with a non-negligible probability 
and 0( 2 kn ) computations if all the 2 kn plaintext/ciphertext are known. However 
if we do not have access to the complex codebook of size 2 kn , or if we want to 
distinguish Ff from a random permutation with an even signature, this “attack” 
obviously fails. 
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9 Summary of the Results on F , k > 3, on TWO, 
SQUARE and Rectangle Attacks 

The following table shows the results we have obtained with our different attacks. 


Table 2. Results on f£ for k = 3, on TWO, SQUARE and Rectangle attacks (i.e. with- 
out Multi- rectangle attacks). CAUTION: Multi- Rectangle attacks may have sometimes 
better complexities. 



KPA 

CPA-1 

F3 1 

1 

1 

F§ 

25, TWO 

2 

Fi 

2”, TWO 

2 

f£ 

25”, TWO 

25' , TWO 

Fi 

2 2 ", TWO 

2”, TWO 

Fi 

2*”, SQUARE 

25”, SQUARE 

Fi 

25™, Ml, <p = 6 

2 2 ”, Ml, ip = 6 

Fi 

2TT™, R2, ip = 8 

25”, R2, ip = 8 

Fi 

2 d ”, R2, <p > 10 

2 Jn , R2, ip > 10 

F 3 10 

2 7 ", TWO 

2 7 ", TWO 

F3 11 

2 8 ”, TWO 

2 8 ”, TWO 

Fi, d > 10 

2 (d-6+Lf J)n, TW0 

2(d-6+L|j)™, TW0 


10 Multi-rectangle Attacks 

An interesting problem is to design better attacks than 2-point attacks, or 
rectangle attacks. We have tried attacks with different geometries of equations 
(hexagons instead of rectangles, multi-dimensional cubes instead of 2-dimension 
rectangles, etc...). So far the best new attacks that we have found are “Multi- 
Rectangle attacks” , i.e. attacks where some “rectangles” in I equations are linked 
with S equations. We will present here only two examples. More details are given 
in the extended version of this paper. These new attacks are very promising 
asymptotically (i.e. when n becomes large) but their efficiency from a practical 
point of view and the design optimality are still under investigation. 

Example 1. With a 2-rectangle attack (as in Figure 4 below), it seems that 
we can attack Fg 8 with a complexity strictly less than 2®". Therefore this at- 
tack is expected to be better than rectangle attacks. However we have to use 2 
rectangles of about 2 x 20 points. Consequently we will have a large constant in 
the complexity and therefore such a theoretical attack might be of no practical 
interest. 

Example 2. It seems that we can attack when d < k 2 + k with a complexity 
less than 0(2 kn ) with a Multi-Rectangle attack when k is fixed (with a huge 
coefficient depending of k and not of n in the 0).This attacks is based on arrays 
of k + 1 dimensional hypercubes. This attack is still under investigation. 
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Table 3. Results on Ff* for k > 3, on TWO, SQUARE and Rectangle attacks (i.e. with- 
out Multi- rectangle attacks). CAUTION: Multi- Rectangle attacks may have sometimes 
better complexities. 



KPA 

CPA-1 

Fk 

1 

1 

F| 

2®, TWO 

2 

F| 

2", TWO 

2 

Fk, 2 < d < k 

2^",TWO 

2 

jpk+1 

2®", TWO 

2®, TWO 

F k+2 

TWO and SQUARE 

2 n , TWO 

F k+3 

2^ n , SQUARE 

2 2 ” .TWO or 2 t", SQUARE 

Fg, k + 2 < d < 2k 

2^r n , SQUARE 

2 (' J -' [ -i) n ,TWO or 2^", SQUARE 

Fk k 

2 s t n , SQUARE 

2^", SQUARE 

F 3fc-i 

2 (fe -s)", R3fc = 4, R4fc>5 

2 (fc -2>", R2fc = 4, R4fc>5 

Fk* 

2 kn , R2 

2 kn , R2 

F^ 3k < d < k 2 

2 (d - 2fc) ", R2 

2 (d-2k)n, R2 



Fig. 4. Example of a multi-rectangle attack on Fq 
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Multi-Rectangle attacks are also of interest for less rounds, for example in 
order to attack F% k with a smaller complexity than rectangle attacks. 

11 Conclusion 

In jOj, Jutla has introduced “Rectangle attacks” against unbalanced Feistel 
schemes. To improve the attacks of Jutla, we have first made a systematic analy- 
sis of the different ways to optimize the parameters. We have obtained like this 5 
different kinds of “rectangle attacks” that we have called SQUARE, Rl, R2, R3 
and R4. By computing the optimal parameters, we have shown that we can at- 
tack 3k — 1 rounds in KPA instead of 3k— 3 in CPA-1 for Jutla with a complexity 
strictly lower than 2 kn with these “Rectangle attacks” (This was confirmed with 
experimental simulations). Moreover, we have also described two other families 
of attacks that we have called TWO ( for 2-point attacks) and “Multi-Rectangle 
attacks”. We have shown that sometimes TWO attacks are the best, and some- 
times it is SQUARE, Rl, R2, R3, R4 or Multi-Rectangle attacks, depending 
of the choices of d and k. For example, for very small values of d, TWO at- 
tacks are the best. Multi-Rectangle attacks seem to be very promising from a 
theoretical point of view. For example, we may attack much more than 3A — 1 
rounds with a complexity strictly lower than 2 kn , and we may attack Ff k with 
a complexity better than with rectangle attacks. However the precise properties 
of Multi-Rectangle attacks are not yet known since these attacks are still under 
investigation. 

In conclusion, there are much more possibilities for generic attacks on unbal- 
anced Feistel schemes with expanding functions than with other Feistel schemes 
(classical or with contracting functions). So these constructions must be designed 
with great care and with sufficiently many rounds. However, if sufficiently many 
rounds are used, these schemes are very interesting since the memory needed to 
store the functions is much smaller compared with other generic Feistel schemes. 

More examples and more simulations can be found in the extended version of 
this paper. 
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Abstract. Tweakable blockciphers, first formalized by Liskov, Rivest, 
and Wagner m are blockciphers with an additional input, the tweak, 
which allows for variability. An open problem proposed by Liskov et al. 
is how to construct tweakable blockciphers without using a pre-existing 
blockcipher. There are many natural questions in this area: is it signif- 
icantly more efficient to incorporate a tweak directly? How do direct 
constructions compare to existing techniques? Are these direct construc- 
tions optimal and for what levels of security? How large of a tweak can 
be securely added? In this work, we explore these questions for Luby- 
Rackoff blockciphers. We show that tweakable blockciphers can be cre- 
ated directly from Luby-Rackoff ciphers, and in some cases show that 
direct constructions of tweakable blockciphers are more efficient than 
previously known constructions. 


1 Introduction 

A blockcipher, also known as a pseudorandom permutation, is a pair of algorithms 
E and D. The encryption algorithm E takes two inputs - a key K and a message 
block M, and produces a ciphertext block C of the same length as M, while the 
decryption algorithm D reverses this process. A blockcipher is considered secure 
if, for a random secret key K, the cipher is indistinguishable from a random 
permutation. 

A tweakable blockcipher takes an extra input, the tweak, ( T ), that is used only 
to provide variation and is not kept secret. Unlike changing the key, changing the 
tweak should involve minimal extra cost. A tweakable blockcipher is considered 
secure if it is indistinguishable from a family of random permutations indexed 
by the tweak. The Hasty Pudding Cipher by Schroeppel m was the first to 
introduce an auxiliary blockcipher input called a “spice” and Liskov, Rivest, 
and Wagner later formalized the notion of tweakable blockciphers. Liskov et 
al. describe two levels of security: a secure (CPA) tweakable blockcipher is one 
that is indistinguishable from a random permutation family to any adversary 
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that may make chosen plaintext queries, while a strongly secure (CCA) tweakable 
blockcipher is pseudorandom even to an adversary that may also make chosen 
ciphertext queries. 

Tweakable blockciphers have many practical applications. Liskov et al. de- 
scribe how they can be used to implement secure symmetric encryption and 
authenticated encryption. Halevi and Rogaway |9llt)j suggest an immediate ap- 
plication to private storage where the tweak is set to be the memory address 
of an enciphered block; and thus, the encryptions of two blocks with the same 
plaintext are not likely to look the same and yet decryption remains straight- 
forward. Tweakable blockciphers have also been studied in a variety of other 
contexts |lllll2m2j . 

Feistel Blockciphers. Feistel blockciphers [Hj have been an actively studied class 
of constructions since Horst Feistel invented them in 1973. In particular, Luby 
and Rackoff showed how to construct a pseudorandom permutation from a 
pseudorandom function by composing three (or four in the case of CCA se- 
curity) Feistel permutations [EJj. We call this construction the Luby-Rackoff 
blockcipher. In 1996, Lucks H3 described an optimization for the secure 3- 
round version by replacing the first round with a universal hash function. 
Shortly afterwards, Naor and Reingold E5I provided the analogous optimiza- 
tion for the strongly secure 4-round cipher, replacing both the first and last 
rounds with a more general type of function. In 2001, Ramzan [El formally 
studied many variations on the Luby-Rackoff cipher. Patarin gave proofs of se- 
curity for certain constructions against unbounded adversaries with access to 
exponentially many queries, albeit assuming the individual round functions are 
random functions rather than pseudorandom. Specifically, Patarin proved se- 
curity for 7 rounds against q < C 2 fc queries, where the blockcipher input is of 
size 2k [El, and later improved this to show that 5 rounds is sufficient, both 
for chosen-plaintext and chosen-ciphertext attacks D2|, which remains the best 
proven security level for Feistel ciphers. Dodis and Puniya recently provided a 
combinatorial understanding of Feistel networks when the round functions are 
unpredictable rather than pseudorandom 0. 

Our Work. Liskov, Rivest, and Wagner m give two constructions for tweak- 
able blockciphers, each one constructed from an underlying blockcipher. Sub- 
sequent work has also taken this approach; Halevi and Rogaway’s EMD and 
EME modes (911 0| and Rogaway’s XEX mode j2D| were all blockcipher modes of 
operation. The only examples of specific tweakable blockciphers are the Hasty 
Pudding and the Mercy 0 ciphers. 

One open problem proposed by Liskov et al. was to study how to incorporate 
tweaks into existing blockciphers, or design tweakable blockciphers directly. In 
this work, we perform a systematic study of issues relating to directly tweak- 
ing Luby-Rackoff blockciphers. We analyze the approach of including a tweak 
by XOR-ing the tweak value into one or more places in the dataflow. This natural 
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model for adding a tweak changes the cipher minimally. Also, approaches involv- 
ing more direct cryptographic processing of the tweak (e.g. hashing the tweak) 
have a significant additional cost associated with changing the tweak. 

Our Contributions. We present tweakable Luby-Rackoff blockciphers, for both 
CPA and CCA security, and against both polynomial-time adversaries, and 
against unbounded adversaries with g <C 2 k queried, where k is half the size of 
the input (matching the best result for ordinary blockciphers EE)- Specifically, 
we construct tweakable blockciphers: 

— CPA-secure against polynomial adversaries in 4 rounds (Theorem 0 

— CCA-secure against polynomial adversaries in 6 rounds (Theorem |HJ) 

— CPA-secure against q <^2 k queries in 7 rounds (Theorem 0 

— CCA-secure against q -C 2 k queries in 10 rounds (Theorem EJ 

Recall that for polynomial adversaries CPA-security requires 3 rounds whereas 
CCA-security requires 4. It is thus natural to wonder if our constructions are 
optimal. We prove our constructions against polynomial adversaries are indeed 
round-optimal in our model (Theorems [Q and EJ). Furthermore, we show that any 
construction of 6 or fewer rounds in our model can be attacked with 0( 2 fc / 1 2 ) 
queries (Table HJ , so our construction of Theorem 0 is also round-optimal. In 
addition, the attacks used to prove the round-optimality of our constructions, 
as well as our extension of the proof methods of Naor and Reingold, help to 
form the theoretical foundation necessary for the secure design of tweakable 
blockciphers regardless of construction, as well as shedding light on the diffi- 
culties in adding a tweak to Feistel-based blockciphers such as RC6 [H! and 
MARS 0. 

We also explicitly address the problem of incorporatingtweaks of arbitrary 
length, an important issue not addressed in the literatures We show that our 
CPA-secure constructions can incorporate additional blocks of tweak at the cost 
of 1 round per block (Theorems [HI and tTHl . and that our CCA-secure con- 
structions may be similarly extended at the cost of 2 rounds per block of tweak 
(Theorems O and El) • 

2 Definitions 

A tweakable blockcipher is a triple of algorithms (G, E. D) for key generation, 
encryption, and decryption, respectively. We restrict our attention to tweakable 
blockciphers where G(-), Ek(-, •)> and Dk { •, •) are all efficiently computable al- 
gorithms; and where the correctness property holds; that is, for all M, T, and 

1 That is, any non-negative q < 2 k such that q2~ k is negligible. 

2 Using tweaks of arbitrary length has been considered for tweakable symmetric en- 
cryption 0, but not for one-block constructions. Certain applications require differ- 
ent, specific tweak sizes, and one may want to allow longer tweaks to include more 
information. Indeed, this was the motivation for Schroeppel to allow spice values of 
512 bits in the Hasty Pudding Cipher 171 . 
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for all keys K 6 G(l fc ), D K (E K (M,T),T) = M. We also generally assume that 
G(l fc ) draws keys uniformly at random from {0, for some polynomial p. 

We have two notions of security: (1) chosen-plaintext secure (CPA) and (2) 
chosen-ciphertext secure (CCA). Security is defined in terms of both a poly- 
nomial and an exponential adversary; polynomial adversaries are limited to a 
number of queries and computations polynomial in the message size, whereas an 
exponential adversary is allowed unlimited computation, but is bounded by an 
exponential number of queries relative to the message size. 

Definition 1. Over all adversaries with access to an encryption oracle, the max- 
imum advantage is defined as: 

ADV-TBCk(A, 5,g, f) = max : |Pr[A Sjr( ’’- ) (l fc ) = 1] - Pr[A JI (l fe ) = 1][ 

where (1) for all k, K is generated by G( l k ), (2) II is a random permutation 
family parameterized by its second input, and (3) A is allowed to run for t steps 
and make at most q oracle queries. 

Definition 2. Over all adversaries with access to an encryption and decryption 
oracle, the maximum advantage is defined as: 

ADV-STBCk {E, D,q,t) = max : |Pr[^ ( '’' ) ’ £ * ( '’' ) (l fc ) * 1] - Pr[A /7 ’ iT_1 (l fc ) = 1]| 

where (1) for all k, K is generated by G( l k ), (2) 77, 77 _1 are a pseudorandom 
permutation family and its inverse, and (3) A is allowed to run for t steps and 
make at most q oracle queries. 

A tweakablejalockcipher is CPA secure if for all k, for q queries and time t, 
ADV-TBCk(A, D, q, t ) is negligible in k. A tweakable cipher is said to be 
polynomially-secure if q and t are polynomial in k. If t is unspecified, then it 
may be unbounded. We define CCA security in the same manner. 

3 The Feistel Blockcipher 

Recall the formula for the Feistel blockcipher jHj on input M = ( L°,R° ): 

L i+1 = Bi 

R l+1 = fi+i(R l ) 0 L l 

where the output after n rounds is ( L n ,R n ), and each /) is a pseudorandom 
function specified by the key. Further recall that the 3-round Feistel construction 
is secure against chosen plaintext attacks, and the 4-round construction is secure 
against chosen ciphertext attack DU- 

3.1 Notation 

In order to talk about where to add a tweak, we must first establish some nota- 
tion. Unless otherwise specified, the tweaks we refer to are a half-block in length; 
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that is, on input M of size 2k, the tweak is of size 
k. As we will later see, a blockcipher may allow 
for longer tweaks; we think of these as “multiple 
tweaks,” as conceptually, the longer tweak can be 
thought of as being composed of multiple tweaks, 
each of the same size. 

For an n-round Luby-Rackoff construction, 
a single half-block of tweak can conceiv- 
ably be XOR-ed in at any of the following 
unique locations: Co, C\, . . ., C n , TZo,TZo. 5 , 
1Z\, . . . ,lZ n -o. 5 ,'R- n - Let this set be denoted by 
A n . We illustrate the A 3 (3-round) locations in 
Figure G] 

Let T x be the XOR of all the tweaks used at 
location A € A n . The formula for our construc- 
tion is: 


L i+1 = R i ® T Ui 
R i+1 = ® 


BT^ 0.5) g 


S T Ci 



the locations at which to XOR 
a tweak of length \M\/2 for 
3-round LR 


We use “BC(n, A)” to refer to the tweakable 
blockcipher construction where the number of 
Luby-Rackoff rounds is n and a tweak T x is XOR- 
ed in at some location A G A n . To denote adding 
multiple tweaks, we write “13C(n, Ai, . . . , At)”, 
where T Xi = Ti is the tweak for location A, and 
different locations each have their own indepen- 
dent tweak. Thus, in such a construction, the 
tweak size is tk. 

We might also want to denote adding the same tweak value at two or more 
locations. We write this as “SC(n, Ai + A 2 )”, where the implication of using the 
compound location Ax + A 2 is that T Xl = T x ' 2 . Of coruse, we may also consider a 
construction with multiple tweaks, each of which may be a compound location; 
we use the obvious notation for this. We use the symbol T to denote a (possibly) 
compound tweak location. 

In A n , we have listed all tweaks at “.5” locations, i.e., Ri+ 0.5 for some l. 
However, we do not have to consider these locations. 


Lemma 1 . For all m, R m +o .5 is equivalent to lZ m + C m+ 
Lemma 2. For all 0 < m < n, C m is equivalent to lZ rn+ \. 


Since C m and TZ m +\ are equivalent, we will use them interchangeably. This starts 
us off with a reduced set of tweakable constructions to study including tweaks 
at locations C n , Rq, ■ ■ ■, 'R-n and all combinations thereof. 
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4 Tweakable Blockciphers with CPA Security 

In this section, we focus on achieving CPA security. In the next section, we will 
discuss the stronger CCA notion of security. 

We begin by presenting some general results that hold for an arbitrary number 
of rounds. These results will help us to narrow down the possibilities for secure 
constructions and to prove the optimality of our final construction. As stated 
in Section 01 the set of possibly secure constructions includes those with tweaks 
at locations £ n , IZo, . . ., 1Z n and all combinations thereof. However, we remark 
in Lemma 01 that we do not need to consider all possible locations, and that 
some locations can be simulated without directly tweaking the blockcipher; this 
important observation is used frequently throughout the paper. 

Lemma 3. For all n, without loss of generality, we can consider only construc- 
tions that never use the tweak locations £ n lZ n , IZo, or 1Z\, even in compound 
locations, and even when considering CCA security. 

Proof. We can simulate oracle queries with or without the tweaks in £ n 1Z n , 
IZo, or TZ\. To simulate a query (L°, R°, Tf, . . . , T t ) to a construction with these 
tweaks, we make a query (L° © T Kl , R° © T 7 ^ 0 , T\, . . . ,Tf) to the construction 
without these tweaks to obtain (L n , R n ), and we return (L n © T Cn , R n © T Un ) . 
Decryption queries can be simulated similarly. 

The set of tweak locations we need to consider is thus reduced to {' R 2 • • . , lZ n -i}. 
From here on, we consider A n to be {TZ-i, ■ ■ ■ ,TZ n -i}- 

Lemma 4. For all n, BC(n,1Z n -i) is not CPA-secure. 

Proof. We use a 2-query attack. If we query {L, R, T) to get (L", R r {), and then 
query (L, R, T') to get {Lf, Rif), then LJ © Lf =T © T' . 

Thus, we arrive at our first round-specific conclusion. 

Theorem 1 (No Tweakable 3- Round Constructions). For all n < 4 and 

all compound locations r of elements in A n , BC(n,r ) is not CPA-secure. 

Proof. This follows from Lemmas 01 and 0| and the set {1Z 2 , . . . ■ TZn-i} being 
empty for n = 3. 


4.1 Secure Locations 

We have reduced the set of possible secure single tweak locations to {IZ 2 , ■ ■ ■ , 
1Z n ~ 2 }. We now show that each of these locations are secure for n > 4. However, 
first we must define e — ARCU 2 hash functions and introduce some related work. 

Definition 3. An e — ARCU 2 (“Almost Right- Collision- avoiding Universal”) 
hash function family is a hash junction family given a range of (0, l} 2fc with 
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the property that for all x ^ y, the probability that h R (x) = h R (y) is at most 
2~ k + e, over the choice of h, where h R denotes the right half of the output of h. 

Naor and Reingold SIS! create a secure blockcipher using two Luby-Rackoff 
rounds in combination with a potentially less expensive function. 

Theorem 2 (Naor- Reingold). If E denotes two Luby-Rackoff rounds with 
truly random round functions, and h is drawn from an e — ARCU2 hash function 
family, then Eoh is indistinguishable (in a CPA attack) from a random function. 

Using Definition 0 and Theorem E| wc are able construct CPA-secure tweakable 
blockciphers. 

Theorem 3 (Several Tweakable n- Round Constructions (for n > 4)). 

For alln> 4 and rn £ {2, .... n — 2}, BC(n, TZ rn ) is CPA-secure against polyno- 
mial^ bounded adversaries. 

Proof. We can capitalize on Theorem [21 as follows. We will prove that when we 
let h{L,R,T) = (L® f m -i(R)\\R ® T © f m (L ® / m _i(i£))) over random choice 
of fm-i and f m , these conditions hold. Here, h is comprised of the last two 
rounds of the construction before the tweak, including the tweak. Once we prove 
this, the result will follow: the first m — 2 rounds are a permutation, so if h! is 
comprised of the first m rounds, it will be e — ARCU2 if h is. Furthermore, since 
m < n — 2, there are at least 2 more rounds to follow; any further rounds are 
another permutation and pseudorandomness will be maintained. 

Lemma 5. The family h(L, R,T) = (L® fi(R)\\R®T ® f 2 (L® fi(R))), where 
fi and f% are randomly chosen over the domain of all functions from k bits to 
k bits, is e - ARCU 2 , for e = 2~ k + 2~ 2k . 

Proof. Let x = ( L,R,T ) and y = ( L',R',T '), where x ^ y. Note that if R ^ 
R' then the probability that L © fi(R) = L 1 © fi(R') is the probability that 
fi(R) = L © L' © fi(R') which is 2~ k . Similarly, if R = R' but L ^ L' then 
L © fi(R) 7^ L' © fi(R'). In either case, the probability that L © fi(R.) = 
L' © fi(R') is at most 2~ k . Finally, if R = R' and L = L' then T ^ T' so 
h R (L , R, T) = h R (L , R, T') © T © T' ± h R (L, R, T'). 

The probability that h R (L,R,T ) = h R (L' ,R! ,T') given that L © fi(R) ^ 
L' © fi(R') is the probability that fz{L © f\ (R)) = R CD R' © fs(L' © fi(R'), 
which is 2~ k , so the probability we hit a collision is at most (1— 2 -fc )(2 -fc )+2 -fc = 
2~ k + 2~ 2k + 2~ k = 2~ k + e. 

From the Lemma, if all the round functions are random, then the h we are 
interested in is e — ARCU2. By Theorem 0 BC(n, lZ rn ) is indistinguishable from 
a random function if all round functions are random. Therefore, BC(n, lZ m ) must 
be CPA secure if its round functions are pseudorandom (since random functions 
are indistinguishable from random permutation families). This completes the 
proof of Theorem 0 
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Corollary 1 (CPA Security In 4 Rounds). £>C(4, IZ^) is CPA-secure and 
round- optimal. 

Proof. This follows directly from Theorems 0 and 01 

4.2 Exponential Attacks 

In this section, we investigate the security of tweakable blockcipher construc- 
tions against an adversary who is capable of making an exponential number of 
queries. We provide general attacks against several types of tweakable construc- 
tions built from Luby-Rackoff permutations. In this section, we assume all round 
functions are ideal, in other words, that they are uniform random functions]! We 
consider a construction secure against exponentially many queries if the prob- 
ability of any computationally unbounded adversary allowed q -C 2 k queries to 
distinguish the construction from a random permutation family is negligible in k. 
These attacks appertain to constructions with both single and compound tweak 
locations (where the same tweak value is XOR-ed in multiple locations) and are 
used to prove that all constructions of less than 7 rounds can be distinguished 
from a random permutation family in 0(2 " 2 ) queries. 

Lemma 6. For any 0 <r<n, BC(n, Rr+0.5) is insecure against 0(2 a ) queries. 

Proof. The attack is as follows: fix the message and query with 2 2 different 
tweaks. The probability that two different queries lead to the same output is 
negligible for a random permutation family. However, the probability that two 
queries lead to a collision in this construction is not negligible. On each query, 
the internal values stay constant until the input to f r +i ■ Since we have made 2^ 
queries to an ideal round function, we can expect with non-negligible probability 
to get a collision on the output of f r . |_i for two distinct queries. If we get such a 
collision, notice the entire output ciphertext will collide. 

Corollary 2. For any 0 < r < n, BC(n, lZ r +o.n + R. r +i) is insecure against 
0(2 2 ) queries. 

Proof. The attack is identical to that used in Lemma 0 except that instead of 
expecting a collision of the type f r+ i(R r © T) = f r+ i(R r © T'), we expect a 
collision of the type f r +i(R r © T) © T = f r+ \{1Z r © T') © T' . 

Lemma 7. For any 0 < r < n, BC(n,lZ r +o.5+R-n-i) is insecure against 0(2 2 ) 
queries. 

Proof. For this proof we will first need a result from probability. 

Lemma 8 (Strong Birthday Lemma). For all k > 1. there exists an m < 

1.2 x 2s such that ifp is the probability of picking an element twice when selecting 
m elements from a 2 k -element set with replacement uniformly at random, then 
p and 1 — p are both non-negligible in k. 

3 This is the standard assumption when we want to prove security in a setting where 
the adversary has beyond-polynomial capabilities 1191171 . 
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Proof. For proof of the Strong Birthday Lemma, see full version 0 . 

The attack is as follows: Compute the m described in Lemma0 Keep the message 
constant and query with m different tweaks. The probability that two ciphertexts 
are such that L n ®T = L' n 8 T' is significantly higher for the actual construction 
than for a random permutation family. Since m < 1.2 x 2^, this attack can be 
performed by an exponential adversary. 

Notice that the internal values of any pair of queries are the same up to the 
input of fr+i- For every query, f r+ \ receives a different input (as the input is a 
fixed value XOR-ed by the tweak). Since the round functions are ideal, the event 
of getting a collision on two outputs of f r+ 1 with m different queries reduces to 
the event of picking the same element twice as described in Lemma 0 say that 
probability is p. Notice that if such a collision happens, we always get a collision 
of the type, L n ® T = L' n ® T'. 

Assume that the outputs of f r+ 1 are distinct for each of the m queries. Notice 
that in order to have a collision of two R n ~ 2 values, it must be true that the 
L n ~ 2 values differ for both queries, because the intervening rounds act as a 
permutation. Therefore, we will get a collision on R n ~ 2 if and only if we have a 
collision of the type: 

f n -2{L n ~ 2 ) © L n ~ 3 = f n _ 2 {L ,n ~ 2 ) © L ,n ~ 3 . 

Since the probability of such a collision for any two queries is either 2~ k or 
0 (in the case that the L n ~ 2 values coincide), we can bound the probability of 
having such a collision above by = -72 since m< 1.2x2%. Therefore, in 

this case, with probability greater equal to .28, we can assume all R n ~ 2 values 
are distinct. Notice: 

L n © T = L' n ffif f n -i(R n ~ 2 ) © L n ~ 2 © T = /„_ 1 (R m - 2 ) © L' n ~ 2 © T'. 

The probability of such an event occurring over m queries with distinct 
R n ~ 2 and ideal round functions is, again, p. Therefore, the overall probabil- 
ity of getting at least two ciphertexts with the described property is at least 
P + (1 -p)(-28p). 

If the construction we are given is the random permutation family, the prob- 
ability of getting the coincidence described is clearly p. Therefore the differ- 
ence in probabilities of this event happening for the tweakable construction and 
the random permutation family is at least p + .28p(l — p) — p = .28p(l — 
p). Since p and 1 — p are non-negligible in k (by Lemma 0, this value is 
also non-negligible, and therefore our attack successfully distinguishes the two 
constructions. 

Corollary 3. BC(n, 1Z r+ o.5 + R r +i +R n -i) is insecure against 0(2 2 ) queries. 

Proof. The generalization of Lemma 0 to Lemma 0 is identical to the extension 
of Lemma 0 to Lemma 0 
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These four attacks can be used to attack every tweakable Luby-Rackoff blockci- 
pher of 6 or fewer rounds. A rundown of which general attack applies for each 
construction can be found in Table El We do not include or IZq in the 

possible locations, or their equivalent constructions of Table 1 since they can be 
simulated away by Lemma 0 

4.3 A Tweakable Construction Secure for q -C 2 Queries 

We now show a 7-round Table 1. All possible 6-round tweakable blockcipher 
Luby - Rackoff construction constructions and the corresponding lemmas that 
that is secure against an ad- P rove the constructions are insecure 
versary allowed q 2 k queries. 

Theorem 4. BC( 7, ^+£. 3 ) 
is CPA-secure for q -C 2 k 
queries. 

Proof. To prove that this 
construction is a secure 
tweakable blockcipher we uti- 
lize the following theorem 
from Patarin m 

Theorem 5 (Patarin). Let 

F be a function from 2k bits 
to 2k bits. If F has the prop- 
erty that for q <C 2 k queries, 
the probability of having l > 

0(k) indices such that R q = 

Jii 2 = Ri 3 = ...Ri l is negligi- 
ble, ( where R ^ is the right half of the j ’th output of F), and on distinct inputs F 
has only a negligible probability of a full collision on its outputs, then EoF, (where 
E is a four-round Luby-Rackoff function), is indistinguishable from random for 
<? <C 2 k input queries. 

We decompose our 7-round construction into two functions, F and E, where 
F is the first three rounds, including the XOR-ed tweak at both £3 and ^30 
and E is the last four rounds. It is obvious that E is a four-round Luby-Rackoff 
function. To prove that F has the properties enumerated in Theorem 0 we need 
to prove the following two properties about F. 

Lemma 9. F is such that for any two distinct queries, the probability of the 
outputs being equal is 0(2~ 2k ) and the probability of the right halves of the 
outputs being equal is 0( 2~ k ). 

4 Although £3 is equivalent to 724, we think of this construction as using £3, so that 
we can conceptually split the function this way. 


Tweak Locations 


Location 

Equivalent 

Attack 

72 2 

72o.5 

Lemma El 

R-3 

72i. s 

Lemma El 

77.4 

72 4 .5 

Lemma El 

n 5 

N/A 

Lemma El 

n 2 + n 3 

72i.5 + 722 

Corollary E 

IZ 2 + 77.4 

722.5 

Lemma El 

72 2 + 77 s 

72o,5 + 725 

Lemma 0 

77.3 +72-4 

723.5 + 724 + 725 

Corollary E 

72-3 +72.s 

723.5 

Lemma El 

72.4 + 72.g 

724.5 + 725 

Corollary E 

722 + 723 + 724 

722.5 + 723 

Corollary E 

722 + 723 + 72s 

72i.5 + 722 + 725 

Corollary E 

722 + 724 + 725 

722.5 + 725 

Lemma 0 

723 + 724 + 725 

72 3 .5 + 72 4 

Corollary E 

722 + 723 + 724 -(- 725 

722.5 + 723 -(- 725 

Corollary E 
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Proof. For proof see full version [2 . 

So long as the queries the adversary makes do not produce a full collision on 
For a multi-collision on the right half of the output of F, the responses are 
indistinguishable from random. Therefore, the queries of the adversary are inde- 
pendent of the outputs of F so long as the required conditions hold. By Lemma0 
the probability of an overall collision in q -C 2 k queries is 0(q 2 2~ 2k ) which is 
negligible. Similarly, the probability of an l- way multicollision on the right is 
0(q l 2 -( i “ 1 ) fe ) = 0(2 k {q2~ k ) 1 ). Since q < 2 k ^~^ for some e, we know that 
(q2~ k ) 1 < (2~ ke ) 1 = 2~ klt . If l > k > 2/e, which will be true for sufficiently large 
k, this probability is bounded by 2~ k . Thus, F satisfies the necessary properties 
with all but a negligible probability, which completes our proof of Theorem 0| 

5 Tweakable Blockciphers with CCA Security 

In this section, we study the problem of achieving CCA security. An important 
observation to make in constructing a CCA-secure tweakable blockcipher is a 
distinguishing attack we will call the four-message attack, which is a type of 
Boomerang attack E 2 .- The attack can be performed by any adversary with 
access to encryption and decryption oracles, E and D respectively. To perform 
the attack, the adversary makes four queries: 

1. For an arbitrary message M and tweak T, obtain C = E(M, T). 

2. For an arbitrary tweak T' -f T, obtain C' = E(M,T’). 

3. Obtain M' = D{C',T). 

4. Obtain C" = E{M' ,T'). If C = C": output 1, otherwise output 0. 

A wide class of tweakable blockciphers fall to the four-message attack: 
Theorem 6 (Four Message Attack). Suppose that gi : {0,1}” — > {0,1}' is 
an injective function that is invertible on its domain, that 32 : { 0, 1 }* — > { 0 , 1 }' 
is any deterministic function, and that g 3 : {0, 1 }' — > {0, 1 }” is a function such 
that for all C and T there exists a unique A such that g 3 (A ® </ 2 (T )) = C. Then 
the construction Ek{M,T ) = gs(gs(T) ® gi(M)) is not CCA-secure. 

Proof. Note that C = gz{g r z{T) ffi gi(M)), C' = gz{gz{T') ® gi(M)). Now if we 
decrypt C' with tweak T, we obtain M' = gf l (g- 2 (T r ) ® gz(T) ® g\(M)). When 
we encrypt M' under tweak V , we get C" = gs(g 2 {T') ffi gi(gf 1 (g 2 (T r ) ® gz{T) ffi 
gi (M))) = gMT') ffi g 2 (T') ffi g 2 (T) ffi fll (M)) = g 3 (g 2 (T) ffi fll (M)) = C. 

Note in particular that if both gi and g 3 are permutations, the conditions are 
satisfied. This has immediate consequences: 

Corollary 4. For all n,lZ m € A n , both BC(n,TZ m ) and BC(n,1Z m + 1Z m+ i) are 
not CCA-secure. 

Proof. Here, g-y is the permutation described by the m rounds of Luby-Rackoff 
before the tweak, 32 (F) = 0 fc ||T for BC(n, 1Z m ) and 32 (F) = T 1 1 T for BC (n. 1Z rn ffi 
lZ m+ i), and 33 is the remaining n—m rounds. Clearly 31 and 33 are permutations, 
so the four message attack applies. 
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This shows that if we are to be able to add a half-block of tweak to the construc- 
tion anywhere, it must be used at multiple locations, and those locations must 
be separated by at least one round 0 In fact, however, a one round distance will 
not suffice: 

Lemma 10. For all n,lZ m 6 A n , BC(n,1Z m + TZ m .+2) is not CCA-secure, and 
BC(n , 1Z rn + 'R m + llm+2) is also not CCA-secure. 

Proof. To simplify, recall that lZ m + R r n+2 is equivalent to R m +o.s by Lemma 0 
Noticing this makes it clear why this is unlikely to be secure, in light of the 
previous two corollaries, but we still have some work to do. 

Here, we use the four-message attack again, but this time, suppose (j\ and 
<73 are not permutations. Rather, if ( L,R ) is the output of the first m rounds 
of the Luby-Rackoff permutations, then gi(M) is the 3 k bit response ( L,R,R ). 
Notice that gs(T) is 0 2k \\T, and gz(A,B,C) computes the remaining rounds, 
computing L m+1 = B and R m+1 = f m (C)®A, and continuing from there. Note 
that 53 (<72 (T) ® is the output we get from applying BC(n. 1Z m +Qif) to M 

with tweak T. For the BC(n , 1Z rn + TZ m +i + Rm+2) construction, this is just the 
same as BC(n, R m +o. 5 +£ m ), and change <72 so that it produces T\\Q k \\T rather 
than 0 2fc ||T. Clearly <71 is injective and invertible, and <73 has unique inverses of 
the proper form, which we can find by inverting the tweakable blockcipher and 
noting the values in the proper place. Doing so requires the tweak T, but the 
answer is unique regardless, or we wouldn’t have unique decryption. By Theorem 
E3 neither of these constructions are CCA-secure. 

Theorem 7. For all n < 6 and all compound locations r of elements in A n , 
BC(n, r) is not CCA-secure. 

Proof. In order to construct a CCA-secure tweakable blockcipher, we must use 
the tweak at (minimally) TZ m and R m +d for some d> 3. And naturally, m and 
m+d must be in the range 2, . . . , n— 1 since all other locations can be simulated. 
For n < 5 no such pair of locations exists. 

Therefore, the first construction that can be CCA-secure is BC( 6, IZ2 + R5), and 
is in fact a secure construction! 

Theorem 8. BC(6, IZ2 + R5) is a CCA-secure tweakable blockcipher. 

Proof. For proof, see full version [3 . 

5.1 CCA Security Against Exponential Attacks 

Theorem 9. BC( 10, £3 + IZ3 + £7 + R7) is CCA-secure for q <C 2 k queries. 

Proof. In order to construct a tweakable blockcipher secure against CCA expo- 
nential attacks, we use a theorem of Patarin £Zj: 

8 This shows, along with Lemma El that an adversary making a CCA attack with 
XOR injection will be able to succeed, regardless of the location of the XOR. 
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Theorem 10 (Patarin). Let F and F' be functions from 2k bits to 2k bits. If 
F and F ,_1 each have the property that for q <§C 2 k queries, the probability of 
having l > 0(k ) indices such that = Rj. 2 = Ri 3 = ... Ri , is negligible, (where 
Rij is the right half of the j’th output of F or F r ~ 1 ), and on distinct inputs F 
(and F'- 1 ) has only a negligible probability of a full collision on its outputs, then 
F' o E o F, (where E is a four-round Luby-RackojJ function) , is indistinguishable 
from random against chosen-ciphertext attack for q -C 2 k input queries. 

In our construction, the first three rounds, including the tweaks at £3 and 72-3, 
form F, and the last three rounds, including the tweaks at £7 and 72.7, form 
F' . F'- 1 is just the same as F, except with distinct round functions. Both F 
and F ,_1 meet the properties of Theorem E3 as we have shown in our proof of 
LemmaEl BC( 10, £3 + 7^3 + £7 + IZ7) = F' 0E0F, and is therefore CCA-secure 
against 2 k queries. 

6 Allowing Longer Tweaks 

In our previous results, all tweaks were assumed to be a half block in length. It 
may be desirable however, to have tweaks of arbitrary lengths. We can always 
lengthen a tweak that is less than a half block, by padding it in a deterministic 
way. However, increasing the length of a tweak beyond a half block in length does 
not follow easily. It may be useful to have constructions that are still secure with 
longer tweaks, as one usual way of choosing a tweak is to include data with it 
that makes it unique m The longer the tweak, the more data can be included. 

Tweakable Blockciphers with Longer Tweaks. For t half-blocks of tweak, we show 
how to construct a CPA-secure tweakable blockcipher in t + 3 rounds and a 
CCA-secure tweakble blockcipher in 2t + 4 rounds. 

Theorem 11. For all n, one can use n — 3 half-blocks of tweak but no more. 
Specifically, BC(n,R,i, . . . , 72„-2) is secure, but any construction BC(ri. £1 . 

. . . , F t ) for t > n — 3 is not secure. 

Theorem 12. For all n, the tweakable blockcipher BC(2n,R,2 + 72.2„-i,72-3 + 
7^2n-2, • • • , 72. n _i + 72. ra+ 2) is a CCA-secure tweakable blockcipher. 

Proof. For proof of Theorem El and Theorem El see full version |J| . 

Longer Tweaks with Exponential Security. Next, we focus on constructing Luby- 
Rackoff based tweakable blockciphers which are secure against an unbounded 
adversary with q <C 2 k queries. For t half-blocks of tweak, we show how to con- 
struct a CPA-secure tweakable blockcipher in t + 6 rounds and give a CCA-secure 
tweakable blockcipher in 2f+8 that meets this security goal. These constructions 
are based onaf+2 round function F designed to meet the properties required 
by Patarin. 

Theorem 13. Let pi = £j + 2 if i = 1 or i = 2 mod 4, let pi = £j+2 + £1 if 
i = 3 mod 4, and pi = £j + 2 + £2 ifi = 0 mod 4. Let p[ = pi+IZi ifi ^ 2 mod 4, 
and p\ = pi + 72* + £1 otherwise. Then let F be BC(n + 2, pi, . . . , p n -i,p' n ). F 
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is a function such that for q -C 2 k queries, the probability of having l = O(k) 
indices such that R = i?; 2 = = . . . R.^ is negligible, (where R i j is the right 

half of the j ’th output of F ), and on q distinct inputs F has only a negligible 
probability of a full collision on its outputs. 

Proof. For proof, see full paper jZj. 

Theorem 14. E o F is a tweakable blockcipher with t tweaks that is secure 
against any unbounded adversary with at most q <C 2 fe queries, where E is a 
four-round Luby-Rackoff cipher. 

Proof. This follows from Theorem El and Theorem El Note that E o F requires 
a total of t + 6 rounds. 

Theorem 15. F' o E o F is a tweakable blockcipher with t tweaks that is 
CCA-secure against any unbounded adversary with at most q • < 2 fc queries, 
where E is a four-round Luby-Rackoff cipher, F' is the inverse of the F de- 
scribed above, with new independent round junctions. 

Proof. This follows from Theorem El and Theorem El Here, F' oEoF requires 
2(t + 2) + 4 = 2t + 8 rounds. 

7 Conclusion 

Table 2 summarizes our constructions, compared to regular blockciphers and the 
second construction of Liskov et al. m This table shows that our results are 
better for CPA constructions, equivalent for CCA against polynomial attacks, 
and worse for CCA against exponential ones. 

Table 2. Number of rounds required for each construction. The prior tweakable con- 
struction we consider is EK,h(M, T) = h(T) © Ek(M © h(T)), where h is an e— AXU 2 
hash function; subsequent constructions are similar. The natural way to realize the 
hash function would be to simply use two random functions on the tweak, one for each 
half of the data stream. Although Liskov et al. do not explicitly consider arbitrary 
tweak length, their construction and proof can be easily extended to do so. 


Security Level 

Blockciphers 

Prior TBCs [12] 

This paper 

CPA with polynomial queries 
CPA with <C 2 fc queries 

CCA with polynomial queries 
CCA with < 2 k queries 

3 rounds E 
5 rounds El 

4 rounds El 

5 rounds El 

3 + 2 rounds/tweak 

5 + 2 rounds/tweak 

4 + 2 rounds/tweak 

5 + 2 rounds/tweak 

3 + 1 round/tweak 

6 + 1 round/tweak 

4 + 2 rounds/tweak 
8 + 2 rounds/tweak 


We conclude with some open problems: (1) incorporating tweaks securely into 
other blockcipher structures, (2) direct, specific design of tweakable blockciphers 
(Luby-Rackoff or otherwise) and (3) improving the provable level of security for 
tweakable blockciphers in general. 

Acknowledgments. We thank Ronald L. Rivest and several anonymous reviewers 
for their helpful comments. 
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Abstract. In the standard general-adversary model for multi-party pro- 
tocols, a global adversary structure is given, and every party must trust 
in this particular structure. We introduce a more general model, the 
asymmetric-trust model, wherein every party is allowed to trust in a dif- 
ferent, personally customized adversary structure. We have two main 
contributions. First, we present non-trivial lower and upper bounds for 
broadcast, verifiable secret sharing, and general multi-party computation 
in different variations of this new model. The obtained bounds demon- 
strate that the new model is strictly more powerful than the standard 
general- adversary model. Second, we propose a framework for express- 
ing and analyzing asymmetric trust in the usual simulation paradigm for 
defining security of protocols, and in particular show a general composi- 
tion theorem for protocols with asymmetric trust. 


1 Introduction 

In the standard general-adversary model for multi-party computation 
(MPC) [El, an adversary structure is specified which basically lists all sets of 
parties that we expect the adversary might be able to corrupt. This model is 
symmetric: every party is required to trust in the same adversary structure A. 
This is unnatural since there is no inherent reason why the parties should all 
have the same view on which adversary structure best models the given scenario. 
For instance, two parties may have completely contradictory beliefs on whether 
a third party can be corrupted or not. Also, insisting on one global adversary 
structure may imply that a party must consent to the fact that he himself is com- 
pletely untrusted. In this paper, we introduce a more natural asymmetric-trust 
model where each party pt is allowed to trust in his own adversary structure 
Ai . We then explore the differences between this asymmetric model and the 
standard one. 

Of course, a trivial approach is to try to build a protocol that will be secure 
even if any set from any Ai is corrupt. However, this may be impossible, namely 
if the union of all At violates known lower bounds for the symmetric model. Our 
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main conclusion in this paper is that there are cases where the trivial symmet- 
ric solution does not work, but where nevertheless broadcast, verifiable secret 
sharing, or even general secure computation, are possible with asymmetric trust. 

As an example, consider the three-party scenario where pi distrusts P 2 , P 2 
distrusts pz, and pz distrusts p\. In the standard model, MPC requires broadcast 
channels for this problem. In contrast, in the most natural one of our asymmetric- 
trust models, MPC does not require broadcast for the same scenario. 

1.1 General Setting 

We assume that n parties V = {p \ . . . . , p n } are given who are connected by a 
complete, synchronous network of pairwise channels. Also present is an adversary 
who may corrupt some subset of the parties. 

We consider both passive and active corruption. We also consider both com- 
putational and unconditional security; where we may distinguish between uncon- 
ditional security with negligible error probability or perfect security. When we do 
not state the type of security explicitly, positive results mean that the goal can 
be achieved with unconditional security, and negative results hold even w.r.t. to 
computational security. 

A crucial point is whether the parties are additionally connected by broadcast 
channels and/or share a consistent public-key infrastructure (PKI). In the active 
case, broadcast/PKI typically allow for more resilient protocols than in the set- 
ting with only pairwise channels. Note that a PKI can be set up with respect to 
an unconditional pseudo-signature scheme 0EI- Therefore, in the PKI setting, 
the achievability of a computationally secure task typically implies its feasibility 
with unconditional security. 

1.2 Contributions 

General multi-party computation (MPC) |2(11 2\ typically relies on the two fun- 
damental building blocks broadcast fl (i| (BC, aka Byzantine agreement) and (ver- 
ifiable) secret- sharing ((V)SS). It is thus interesting to know to which 

extent these tasks can be achieved in a certain model. 

We introduce different variants of the asymmetric-trust model and corre- 
sponding definitions for broadcast, VSS, and general MPC; and give feasibility 
and impossibility results for these cases. Most results demonstrate that protocols 
for the asymmetric model are able to tolerate a strictly stronger adversary than 
any protocol for the symmetric model. For broadcast and VSS, we come quite 
close to characterizing the difference between symmetric and asymmetric trust, 
while the situation is much more open for general MPC. 

In addition we give a general framework for augmenting security models with 
asymmetric trust. For concreteness we describe how to extend the UC frame- 
work jS| with asymmetric trust. This seems to be the first simulation-based 
security model for reasoning about asymmetric trust. Finally, we explore the is- 
sue of when UC secure MPC is possible when the parties have asymmetric trust 
in the setup assumptions. 
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1.3 Symmetric- Trust Model 

In the symmetric-trust model, a single adversary structure A is given which is a 
monotone subset of the power set of V, A C 2 P . Monotone means that A € A 
and i'ci imply that A! e aO The goal is to achieve secure MPC for the case 
that an adversary corrupts the parties in exactly one set in A. However, if the 
adversary manages to corrupt a set A £ A then no security is guaranteed. A 
set A £ A is called maximal if there is no set A' e A that strictly contains A: 
$A' e A: A' D A. 

The tight bounds H3 for multi-party computation in the symmetric model are 
summarized in the following table where the second column indicates whether 
broadcast channels or a public-key infrastructure (PKI) are available. 


STD 

Broadcast /PKI 

Unconditional 

Computational 

Passive 

don’t care 

Q 2 * 

Q l 

Active 

available 

Q 2 

Q 2 

Active 

not available 

Q A 

Q 6 


Q k = (vA 1 } ...,A k eA: UjLi^P) 


1.4 Asymmetric- Trust Model 

In the asymmetric-trust model, every party Pi has its own personalized adversary 
structure At C 2 V . We denote A = (A\, . . . ,A n ) as the aggregate adversary 
structure and define A * := (J”_ x Ai- We assume that each party Pi trusts itself, 
i.e., A G Ai => pi ^ A. The set of corrupted parties is denoted by F. 

We generally assume that all the adversary structures Ai are publicly known, 
so that we can use information on them in the code of our protocols. In other 
words, parties must make their beliefs public. Indeed, this seems necessary for 
our feasibility results and besides we do not believe this to be problematic: 
even if we were in the symmetric model and just wanted to agree on one global 
adversary structure, it would still seem necessary to discuss beliefs in public. 

We now introduce some variants of the asymmetric-trust model. The pre- 
sentation here is somewhat informal; we show later in the paper how to fully 
formalize it using a variant of the UC framework. 

Via Symmetry. One approach is to define security for (Mi, . . . , A n ) via the 
usual symmetric notion. It is clear that if party pi believes that the subsets 
Ai could be corrupted, then pi would only be willing to participate in an A- 
secure protocol 7 r if Ai C A: if Ai \ A 7 ^ 0, then there exists a subset F C 
{pi , . . . ,p n } which pi thinks might be corrupted and which 7 r might not tolerate 
being corrupted. 

1 However, we allow for the loose notation of non-monotone structures A in which 

case we actually mean the structure’s monotone closure, e.g., A = {{pi}} refers to 

the actual structure A = {{pi}, 0}. 
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The definition going via symmetry insists on still giving a definition of security 
by specifying some subsets F against which the protocol should be secure. As 
argued above, to allow all parties to participate in n, any such definition would 
have to require n simply to tolerate the corruption structure A* = |J" =1 A,. This 
of course gives no new views at asymmetric trust. 

Via Allowed Consequences. A more interesting approach to trust is to say 
that in reality all subsets F C {p \ , . . . , p n } can imaginably be corrupted. The 
party pi having corruption structure A* simply means that pi thinks it very 
unlikely that a subset A t £ Ai will be corrupted. A reasonable security defini- 
tion should therefore allow any corruption pattern F C {pi, . . . , p n } to occur. 
The goal is then (similarly to [03) to specify for each F C {p 1; . . . ,p n ] what 
consequences the corruption of F is allowed to have. These consequences should 
ideally be such that all Pi would be willing to participate in an (Ai, . . . , A n )- 
secure protocol. 

Strict. In the strict notion we take the standard security definitions for broad- 
cast, VSS, and MPC, and require that no matter what subset F C { 1 , . . . ,n} 
is corrupted, the protocol must provide full security to all uncorrupted parties. 
In terms of threshold security this corresponds to t = n and is unattainable for 
most multi-party tasks. Two-party tasks like secure communication and zero- 
knowledge however have strictly secure implementations, possibly using setup 
assumptions. 

Fully Relaxed. At the other extreme from strict security we consider fully 
relaxed security. From the set F C [pi , . . . ,p n } of corrupted parties we define 
three types of parties: corrupted, naive, foreseeing. A corrupted party is a party 
from F. A naive party p, is honest (not from F) but it happens that F ^ Ai. A 
foreseeing party Pi is honest and has F e A,,. A naive party is called naive as it 
believed it very unlikely that F would be corrupted, yet it was. 

The fully relaxed model requires full security (in the usual sense) for the set 
of foreseeing parties but no security for the naive parties. That is, a naive party 
is treated like a corrupted party (although it is not controlled by the adversary). 

If (Ai, . . . ,An) = ( A , . . . , A) for some common adversary structure A, then 
all parties are foreseeing (and thus protected) as long as F G A and all parties 
are naive (and thus unprotected) as long as F g A. In this sense fully relaxed 
security corresponds to usual A-security. 

Semi- relaxed. Strict security protects even naive parties and fully relaxed 
security gives no security at all to naive parties. There are different ways to 
define a semi-relaxed model in-between these extremes. In general, a semi-relaxed 
model requires full security for the set of foreseeing parties but still some partial 
security (to be defined) for naive parties. 

The main reason why we consider semi-relaxed models is that, in the fully 
relaxed model, composition of subprotocols is difficult. A naive party may, for 
instance, not be able to consistently broadcast the message it wants although it 
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follows the protocol. Extending some security constraints to the set of all honest 
parties thus allows to compose protocols more easily. 

2 Broadcast, VSS, and MPC with Asymmetric Trust 

In this section we focus on implementing broadcast, VSS, and MPC in the point- 
to-point model with asymmetric trust. A first observation is that in the passive 
cast', as well as in the active case where broadcast or a PKI is given, the sym- 
metric bounds (summarized in the table belov@) still hold for any of the defined 
asymmetric-trust models: 

Theorem 1. In the passive case and in the active case with broadcast (or PKI), 
broadcast, VSS, and MPC in any asymmetric model are achievable with respect 
to an aggregate adversary structure A = (A, ■ . . ,A n ) if and only if they are 
achievable with respect to the structure A* = UlLi Ai in the symmetric-trust 
model: 



Passive 

Active (BC/PKI) 

Broadcast 

Q 1 


(V)SS 

Q 1 

Q 2 

MPC 

WJW 

Q 2 


Proof. The cases where there is a protocol for any structure are trivial. For all 

remaining cases Q 2 (A*) is a tight bound in the symmetric model. 

<= Trivially, if a task is achievable in the symmetric model for A* then it is also 
achievable in any asymmetric model for aggregate structure (A*,..., A*) 
and thus for any A = (A , . . . , A n ) such that U"=i A = A*. 

=> Assume any protocol in the asymmetric model for some aggregate structure 
A = (A , . . . , A n ) such that ~iQ 2 (A*). Since each party trusts itself there 
must be two distinct parties pi and pj and adversary sets A £ A, and 
Aj £ Aj such that A U Aj = V, and p,; £ Aj and Pj £ A- Prom this, we 
can build a two-party protocol for the same task wherein the parties distrust 
each other. This is done by having one party simulate Pi (and the parties 
in Aj) and the other one pj (and the parties in A), and then execute the 
asymmetric protocol we assumed exists. 

For unconditionally secure MPC in the passive case this implies that two 
parties can securely compute the logical OR over their input bits, which is 

impossible Ena- 

For VSS (in the active case) this implies that a dealer can secret-share a 
value in the two-party setting such that the other party can reconstruct it 
during the reconstruction phase without the help of the dealer — but then it 
can also do so at any time after the sharing phase, which contradicts security. 

2 The only difference between computational and unconditional security occurs for 
MPC in the passive case where MPC for any structure is achievable with computa- 
tional security but Q 2 is necessary for unconditional security. 
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For MPC (and secure function evaluation, in particular) in the active case 
this implies that two parties can flip a fair coin, which is impossible jH| ■ □ 

In view of this theorem, for the rest of this section, we concentrate on the case 
where the adversary is active and where BC/PKI are not assumed. 

2.1 Broadcast 

Definition 1 (Broadcast w/ full relaxation). A protocol where sender p s £ 

V inputs x s £ V, and all pi £ V output y-i £ V, achieves broadcast with full 
relaxation if: 

Validity: If p s and pi are honest and F £ A s n A then yi = x s . 
Consistency: If p t and pj are honest and F £ Ai fi Aj then y t = yj. o 

For the use as a subprotocol in MPC, a helpful additional property of broadcast 
is to demand validity independently of the sender’s adversary structure. In that 
way, a na'ive party can still consistently convey its view. We define semi-relaxed 
broadcast as broadcast with sender-independent validity in the following way — 
where we only state the different validity condition. 

Definition 2 (Broadcast w/ sender-indep. validity (semi-relaxed)). 

Validity: If p s and pi are honest and F £ Ai then yi = x s . o 

The following theorem is proven in the full version of the paper. 

Theorem 2. Broadcast with sender-independent validity for every sender p s £ 

V is (perfectly) achievable if and only if 

| B 3 (A) = VAi,Aj -.VAiGAiiAj eA 0 ,A i:j eAjtlAj : Aj u Aj u Ajj ^ V. \ 

Note that B 3 (A ) is a proper relaxation of Q 3 (A), which is necessary and suf- 
ficient in the symmetric framework. In particular, B :i (A) is a condition on all 
pairs of parties, whereas Q 3 (A) is the condition A Ai £ Ai,MAj £ AjfiAk € At : 
Ai U Aj U Ak ^ V on all triples of parties. Trivially, any semi-relaxed version 
of broadcast implies broadcast with full relaxation. Achievability under B 3 (A) 
thus follows for the fully relaxed case. However, the next two results show, first 
that B 3 (A) is not necessary for fully relaxed broadcast, and second, a weaker 
but necessary condition. 

Proposition 1. There are aggregate structures A such that -> B 3 (A ) and broad- 
cast with full relaxation is achievable for every selection of a sender p s £ V . 

Proof. Consider aggregate structure A = ( { [P2 } , \p:i } } • { {bi } • {Ps }} , 0 ) among 

V = {pi ■ P2 ■ Pi } • If the sender is p\ or P2 then it can simply multi-send its 

input value since, with respect to P3, validity and consistency only have to hold 
if nobody is corrupted. If the sender is P3 then /13 can send its input value to 
Pi who in turn sends it to P2 ■ Again, validity and consistency with respect to 
P3 only have to hold if no party is corrupted; parties p\ and p-2 are trivially 
consistent. □ 
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Theorem 3. If there are structures Ai, Aj, and Ak, and sets Ajj 6 Ai fi Aj, 
Aik S -4* n Ak, Ajk e Aj n Ak, such that Aij U Aik U Ajk = V then broadcast 
with full relaxation is not achievable for any selection of a sender p s £ V. 

Proof Along the lines of the lower-bound part of the proof of Theorem [21 □ 

2.2 Verifiable Secret Sharing (VSS) 

Definition 3 (VSS w/ full relaxation). A pair of protocols (Sh, Rec) wherein 
dealer pd £ V inputs secret s in protocol Sh and every pi £ V outputs Si in 
protocol Rec achieves VSS with full relaxation if: 

Secrecy: If Pd is honest and F £ Ad then the adversary has no information 
about s as long as protocol Rec has not started yet. 

Correctness: Ifpd andpi are honest and F e AdC\Ai thenpi computes output 
Si = s in protocol Rec. 

Commitment: If p t and pj (case i = j included) are honest and F e Ai n Aj 
then, after termination of protocol Sh, there is a value s' £ F such that, in 
protocol Rec, pi and pj compute output S{ = Sj = s' . o 

It may be tempting to believe that fully relaxed VSS could be obtained by 
just running a standard VSS protocol that is secure with respect to the dealer’s 
adversary structure Ad- But such a protocol provides no security at all if F Ad, 
and hence cannot in general guarantee that the commitment property is satisfied. 

We define semi-relaxed VSS as VSS with dealer-independent correctness in the 
following way — where we only state the conditions different from the previous 
definition. 

Definition 4 (VSS w/ dealer-indep. correctness (semi-relaxed)). 

Correctness: If pa and pi are honest and F e Ai then pi computes output 
Si = s in protocol Rec. o 

We derive our VSS protocols from the VSS protocol in m. Note that, since we 
are not given full-fledged broadcast, additional measures have to be taken. 

Theorem 4. Perfectly secure VSS with full relaxation is achievable for every 
selection of a dealer pd&V if 

| V 3 (A ) = \/Aj,Aj : VAj g Aj, VA' e Aj,VAj g Aj : Aj U Aj U Aj ± V. \ 

Proof. Follows from the protocol in Fig. 0 which is analyzed in Lemma 0 □ 

Lemma 1. For a given V 3 -structure, the protocol in Fig. Q achieves fully relaxed 
VSS with perfect security. 

Proof. Secrecy: If F e Ad then the share Sk with P k = V\F ti being all 
honest does not get opened during the sharing phase by an honest dealer 
since it receives no complaints from within Pk with respect to this share (all 
broadcasts are valid with respect to pd). Share Sk perfectly hides the secret. 
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Sharing Sh; For each maximal set A k £ Ad. the dealer p,i assigns a random share 
s/t G F with the only restriction that s = Ylk s k- The dealer sends each s k to all 
parties in P k =V\Ak- Each party p; £ P k stores s k and s' k := s k - 
For each s k , the parties in P k pairwisely compare their shares. If any inconsistency 
is detected by a party pi £ P k it broadcasts (w/ sender-independent validity) a 
complaint to all parties in V. 

Now, if the dealer receives any complaint, it opens share s k by broadcast (w/ sender- 
independent validity) towards V. Party Pi £ V always adopts any opening by the 
dealer. If a party pi € V sent or received a complaint but does not see the dealer 
open Sk, it disqualifies the dealer and defines s k := 0. Note that a party in P k who 
disqualifies the dealer still stores the initial share s' k it is holding — although, from 
now on, it uses s k = 0 for its own computation. 

A party pi £ A k who, at this point, neither disqualified the dealer nor saw the 
dealer open share s k , is called fc-curious. 

Reconstruction Rec: For each share s k , 

— All parties in Pk multi-send s' k to the parties in A k . 

— All parties who are not fc-curious accept s k as the reconstructed share. 

— All parties p-j who are fc-curious wait for the parties p t £ P k to send their 
shares. Then they search for a set A y £ Aj such that all parties in P k \ Aj sent 
the same share s' k . Party p :l then accepts s k := s k . 

Finally, all shares s k are summed up in order to compute the reconstructed secret. 


Fig. 1. Protocol VSS with full relaxation 


Correctness: We show that when parties pd and pi are honest and F £ 
Ad I~1 Ai then, during reconstruction, Pi opens each share s k (share with 
respect to A k £ A) correctly as distributed by Pd- 

First, we observe that Pi does not disqualify the dealer p d : disqualification 
implies a complaint sent or received by Pi — and thus also received by pd- 
This forces pd to open s k , implying that Pi does not disqualify pd- This 
implies that either pd opened s k during the sharing phase or that all honest 
parties in P k agree on the same share s' k = s k . An opening during the sharing 
phase is correctly received by pi (validity of broadcast). If pi remains fc- 
curious then there is the unique value s' k = s k such that there exists some 
Ai £ Ai with all parties in P k \ Ai opening the same share s' k — since 
A d U Ai U A[ + V. 

Commitment: Consider two honest parties p,; and pj such that F £ Ai fl Aj. 
All information that is broadcast is thus valid and consistent with respect 
to Pi and pj. We distinguish three cases. 

- Pi , Pj £ Pk- Because of broadcast consistency, both parties either dis- 
qualify the dealer (s k = 0), or accept the same initial share, or adopt 
the same share being opened by the dealer. 

- Pi £ Pk, Pj £ A k . Because of broadcast consistency, p, and pj receive 
exactly the same values that are broadcast. Thus either both disqualify, 
or both adopt, or pi stays with his initial share whereas pj is fc-curious. 
In the latter case, there was no complaint and thus no conflict among 
any honest parties in P k — and thus all honest parties in P k hold the 
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same share s' k . As in the correctness argument, pj thus finds the unique 
value s' k = Sk such that there is some Aj G Aj with all parties in P k \ Aj 
all opening the same share s' k — which is identical to pf s share. Thus, 
commitment is also guaranteed in the latter case. 

- Pi , Pj G A k . The parties both either are fc-curious, or adopt the same 
opening, or disqualify the dealer. If they are fc-curious then no honest 
party in P k broadcast a complaint and thus, again, all honest parties in 
P k hold the same share s' k . Since F G AjtlAj both parties will determine 
a set Ai C F (and Aj C F, respectively) such that the parties in P k \ Aj 
(P k \ Aj) all open the same share s k = s k . □ 

Proposition 2. There are aggregate structures A such that ^V :i (A) and VSS 
with full relaxation is achievable for every selection of a dealer pd G V. 

Proof. Consider aggregate structure A = ({{P2}, {P3}}, {{pi}}, 0 ) among V = 
{PiiP2,Ps}- The parties can run the preprocessing protocol from HQ] trying to 
establish a PKI with unconditional security. If it succeeds then the players can 
simulate broadcast and thus use the YSS protocol for dishonest minorities in, 
e.g., jQj. If it fails then it suffices that the dealer always reconstructs his input 
value whereas the other parties reconstruct some default value. □ 

The following theorem is proven in the full version of the paper. 

Theorem 5. Unconditionally secure VSS with dealer-independent correctness 
is achievable if V s (A). Additionally, secrecy with respect to any F G A* can be 
guaranteed. 

Theorem 6. If~<V 3 (A ) then perfectly secure VSS with dealer-independent cor- 
rectness is not achievable for every selection of a dealer pa £P. 

Proof. If n = 2 then ~^V 3 (A) and self-trust imply -iQ 2 (A*), and impossibility 
follows from Theorem [D We can therefore assume that n > 3 . 

With -,V :i (A) there are structures Ai and Aj, and sets Aj , A( G Ai and 
Aj G Aj with Aj U Aj U Aj = P. We show that there is no VSS with respect 
to dealer pd = Pj ■ Note that A d Ud,U A\ = V and self- trust imply, wlog, that 
Pd G Aj and pj G A d . 

If such a VSS protocol existed then three parties ps, p, and p K could use 
it to simulate VSS among themselves with dealer ps where (As,A L ,A K ) = 
{{p*Jj {{Psli {P«}}> 0 } : Ps simulates all parties in Aj, p L simulates all parties 
in Ad, and p K simulates all parties in A). Now the share s,, is not allowed to 
give any information about secret s but any triplet (sg, s t , •) perfectly reveals an 
honest dealer’s correct secret and any triplet (•, 57, s K ) perfectly reveals the value 
a corrupted dealer was committed to. This is not possible. □ 

Finally, note that impossibility of broadcast implies impossibility of VSS. Thus 
all impossibility results for broadcast naturally extend to VSS. 
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2.3 Multi-Party Computation (MPC) 

We now argue informally that, also with respect to general MPC, the 
asymmetric-trust model allows to tolerate strictly more than in the symmet- 
ric case. We only consider fully relaxed security, i.e., privacy and correctness 
only hold for foreseeing parties. This notion of MPC security is formalized in 
the following section. 

Theorem 7. In the fully relaxed model, there exist infinite many aggregate 
structures A = {A\, . . . ,A n ) with -iQ 3 (M*) for which unconditionally secure 
MPC is achievable. 

Proof. We construct an aggregate adversary structure A for n = 3T parties, 
where each individual Ai is such that its maximal sets have size T, but where 
no set of size T occurs in more than one At . Clearly, for each n, there are several 
such structures and several of them are not Q 3 . For such a structure, we can 
implement MPC by first running a preprocessing protocol from m that aims 
at establishing a PKI with unconditional security (as discussed earlier). This 
protocol in its most general form has parameters T and t, where 2 T + 1 < n; 
we choose t = T — 1. The protocol guarantees success if there are at most t 
corruptions. If there are at most T, there will be agreement on the result which 
is “success” or “failure.” Our solution is that, if the preprocessing is successful, 
we run a standard MPC protocol secure against T corruptions based on the PKI 
constructed. If the preprocessing fails, each party computes its output locally 
using its own input and default values for the other parties. As for security, 
note first that if there are more than T corruptions, all parties are naive or 
corrupted, and security is guaranteed. If there are at most T — 1 = t corruptions, 
the preprocessing succeeds, and the protocol is secure. If there are T corruptions, 
either the preprocessing succeeds, in which case we are fine, as before. Otherwise, 
all honest parties agree that it failed. Since the corrupted set occurs in at most 
one of the Ai, at most one party is foreseeing, and it may securely compute its 
output locally since the fully relaxed requirement only forces foreseeing parties 
to be consistent. All other parties are naive or corrupt. □ 

Again, the impossibility results for broadcast naturally extend to MPC. 

3 A Generic Framework for Asymmetric Trust 

Until now we gave ad-hoc definitions of asymmetric security for VSS and broad- 
cast. We now develop a general framework for augmenting security models with 
asymmetric trust. The asymmetric security notions introduced above can be 
derived as special cases. The exposition is meant as a framework for adding 
asymmetric trust to protocol security models phrased via ideal functionalities 
and corruptions. For concreteness we consider the UC framework. 
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3.1 Basic UC Framework 

We consider protocols 7r for a party set V = {pi, . . . ,p n }. A corruption pattern 
is a pair of subsets Pat = (Act, Pas), Act, Pas C V, where Act C Pas; The 
interpretation is that the parties Pi G Pas are passively corrupted and the parties 
Pi G Act actively corrupted. We write (Act, Pas) C (Act', Pas') to mean 
Act C Act' and Pas C Pas'. An adversary structure is a set A = {(Act, Pas)} 
of corruption patterns, where Pat g A A Pat' C Pat => Pat' g A. 

An ideal functionality is an ITM T. It can receive inputs from each Pi £ V 
(^-inputs) and deliver outputs to each p-i £ V (p, -outputs). Besides this, it can 
receive aux-inputs and deliver aux-outputs, thought of as inputs coming from 
the adversary respectively values leaked to the adversary. As an example an 
ideal functionality Tcom for bit commitment can be phrased as follows: On p,- 
input (commit, cid, Pi, pj, m G {0,1}) produce aux-output (commit, cid, Pi,Pj)j 
Here cid is a commitment identifier. On a later aux-input (deliver, cid. Pi,Pj), 
output (receipt, cid, Pi, pj) to pj. On p^-input (open ,cid,pi,pj) after receiving 
Pi-input (commit, cid, pt, pj, m), produce aux-output (open ,cid,pi,pj,m). On a 
later aux-input (open, cid, Pi,Pj), output (open, cid,Pi,Pj, rri) to p r 

A protocol 7 r consists of n parties pi, ... ,p n and some ideal functionalities Q. 
which might, e.g., model point-to-point lines or commitment. We write C? G 7r 
and 7 t[G) to mean that 7r uses the ideal functionality Q. An environment Z for 
7r is a ITM which gives inputs to the parties and gets outputs from the parties. 
We denote an execution of 7r in Z by Execv^- The environment Z also corrupts 
parties]! For a corruption pattern Pat = (Act, Pas) the environment is allowed 
to see the internal state of Pi G Pas and control pi G Act: When pi G Act, 
then in Exec^.z it is Z which determines all p, -inputs to G G 7r and receives all 
p, -outputs from G & n. The party p,; is not run at all. Besides this, Z receives 
all aux-outputs from all G G 7r and can give aux-inputs to all G G 7r. As an 
example, in Exec,^^^ the environment sees when commitments are made 
and determines when to deliver receipts and openings. 

The execution Exec,^ is compared to a simulation Here the simu- 

lator S must simulate an execution of 7r. E.g., S simulates aux-outputs to Z from 
all G G 7r and receives aux-inputs from Z to G G 7r. The simulator itself receives 
aux-outputs from T and gives aux-inputs to T . When Z gives a p, -input for 
Pi $ Act, it is given to T. The simulator gives all p, -inputs to T for p t G Act. 
When T produces a p^-output for p, ^ Act, it is given to A, but when T pro- 
duces a p^output for p, : G Act, it is not given to Z. When Z gives a p, -input to 
T for pi G Pas, it is shown to S, and when T produces a p, -output for p* G Pas, 
it is shown to S. 

A protocol 7r is called a UC secure implementation of T if there exists a simu- 
lator S such that SiM^s^ ~ Exec^.^ for all Z. It is possible to restrict Z to 
corrupting according to some Pat g A , in which case we say that 7r is M-secure 
(in the symmetric sense). 


3 We use the formulation of the UC framework without an explicit adversary, see full 
version of |£j|. 
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T (XUl) runs a copy of T. When T produces aux-output z, T (xtn) produces 
aux-output z, and when receives aux- input z it gives T the aux- 

input z. When the (current) corruption pattern is Pat and Xtn(PAT) = 
(ActIn, ActOut, PasIn, PasOut), the remaining inputs and outputs are handled 
as follows: 

— For pi G PasIn: On pi-input x, produce aux-output (in. p t , x), and then give 
T the pi-input x. 

— For pi G PasOut: On pi-output x from T, produce aux-output (out, pi, x), and 
then produce the pi-output x. 

— For pi G ActIn: Ignore all pi-inputs, and on an aux-input (in. p t , x), give T 
the pi-input x. 

— For pi G ActOut: Ignore all pi-outputs from T , and on an aux-input 
(out, pi,x), produce the pi-output x. 


Fig. 2. T (XUl) 

3.2 Modeling the Security Loss of Naive Parties 

To define asymmetric trust in the UC framework, we need to model the loss of 
security we will allow for a party who turns out to have been naive. To express 
what we choose to allow, we introduce the concept of a corruption extension Xtn 
which is a function that maps a corruption pattern Pat to a tuple 

Xtn(Pxr) = (ActIn, ActOut, PasIn, PasOut), 
of party subsets, where 

PasIn, PasOut cp \ Pas and ActIn, ActOut cp \ Act. 

These are subsets of parties who are not corrupt but nevertheless have their 
security violated in some way. 

This is modeled in the simulation SlMjr.s.z by giving S the following extra 
power over T\ For the parties p* G PasIn, respectively pi G PasOut, we show 
S the pj-inputs to T, respectively the p^-outputs from T. For the parties p l G 
ActIn, when Z gives a p, -input to T, it is not given to T . Instead we allow S to 
specify these p, -inputs. Finally, for the parties p,; G ActOut, when T produces 
a pj-output to Z, it is not given to Z but we allow S to specify these p, -outputs. 

Of course, a functionality T may also be used as an auxiliary functionality in 
a protocol. In this case the extra power is given to the environment (adversary), 
see more on this below. 

In order to formally incorporate the above into the UC framework without 
making changes that require us to reprove the composition theorem, we define 
the following way to extend any ideal functionality: For a functionality T and 
any extension Xtn, let JF( xtn ) be the ideal functionality in Fig. |21 We say that 
7r is an Xtn-secure implementation of T if n is a UC secure implementation of 
JF( xtn ) (tolerating environments corrupting any subset of parties). 
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Note that in SlM^xt*) .g it is S which has access to the aux-inputs and aux- 
outputs of A xtn 0 giving it exactly the desired extra power. Note also that 
jr( xtn ) is allowed in the UC framework since it allows functionalities to know 
which parties are corrupted. 

Note that in the above definition we do not restrict in any way how many 
parties the environment corrupts! We might however use Xtn to specify that 
for some corruptions A A the simulator is allowed to corrupt all parties in 
the simulation. This allows to model that for corruptions A tfL A no security 
guarantees are given. The notion of corruption extensions therefore subsumes the 
normal notion of restricting the environment to certain corruption patterns A 
As mentioned, extensions also apply to a functionality Q used in protocol it. 
For this purpose we assume that n associates to each Q e 7r an extension Xtn g. 
We then let n denote the protocol where each Q e n is replaced by 0( xtn e). 
In Exec?^ it is Z which has access to the aux-inputs and outputs of c?( xtn e) } 
granting it extra power over Q in the same way as we did for the simulator before. 

Definition 5 . Let n be a protocol having an extension Xtng associated to each 
G e 7 r, let Xtn be some extension and let T be some ideal functionality. We say 
that 7r is an Xtn -secure implementation of T if n is a UC secure implementation 
of jrixtn) (t 0 i era ting all corruption patterns) . o 

We can prove a composition theorem for this notion of security. For a protocol 
7r = n[G] and a protocol 7 we use Tiff /G] to denote the protocol n where the 
use of G has been replaced by 7. Let Xtn 77 (Xtn 7 ) be the extensions 7r (7) 
associates to its ideal functionalities. For H e nff/G] we associate the extension 
Xtn( 7 fy = Xtn 7r (H) when H £ n and Xtn( 7 fy = Xtn 7 ( 7 f) when 7 i G 7. 

Theorem 8. Assume that n is an Xtn- secure implementation of T and Q £ n 
with Xtn’ r ( 0 ) = Xtng. Assume furthermore that 7 is an Xtn g -secure implemen- 
tation ofQ. Then nfl/G] is an X.tn- secure implementation of T ■ 

Proof. When Xtn W (G) = Xtrig for G € n, then 7r being an Xtn-secure imple- 
mentation of T implies that 7r[^( xtn s)] i s a uc secure implementation of p( xtn \ 
That 7 is an Xtng-secure implementation of Q implies that 7 is a UC secure 
implementation of (j( xtn s). So, by the UC composition theorem, Tiff / G l ' Xtn ° > } is 
a UC secure implementation of T'( xtn ). Since nff/G] = Tiff / G^ tr ' e ' 1 ] this implies 
that 7r[7/^] is a UC secure implementation of ff( xt A which by definition implies 
that 7r[7 /G\ is an Xtn-secure implementation of T. □ 


3.3 Asymmetric Trust 

We now use Definition 0 to express asymmetric trust, formalizing the concepts 
we introduced in Section II .41 To each Pi we associate an adversary structure 
Ai expressing that Pi trusts that only corruption patterns PAT e A will ac- 
tually occur. We call A = (A,..., AO an aggregate adversary structure. A 
symmetric adversary structure A corresponds to the aggregate adversary struc- 
ture A" = (A,..., A). For an actually occurring corruption pattern Pat = 
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(Act, Pas) we let Foreseeing^Pat) = {pi eV\ Pas|Pat £ A} and we let 
Naive^(Pat) = {Pi £ V \ Pas|Pat 0 A}- We call p, £ Foreseeing^(Pat) 
foreseeing and we call pi £ Naive^Pat) naive. We model asymmetric trust 
by treating the foreseeing honest parties as we normally treat the honest par- 
ties in UC security and treating the corrupted parties as we do normally. For 
the naive parties we allow the simulator (environment) extra powers, using the 
concepts we defined earlier. Formally, we say that a corruption extension Xtn 
is an extension for A = (A, • ■ • . A. ) if it holds for all Pat that Xtn(PAT) = 
(ActIn, ActOut, PasIn, PasOut) satisfies PasIn, PasOut, ActIn, ActOut 
C NaYve. 4 _(Pat). This gives a lot of granularity in how to treat the honest-but- 
nai've parties: PasIn specifies the naive parties for which the inputs are allowed 
to leak to the adversary, PasOut specifies the naive parties for which the out- 
puts are allowed to leak to the adversary, ActIn specifies the naive parties for 
which the inputs might be controlled by the adversary, and ActOut specifies 
the naive parties for which the outputs might by controlled be the adversary. 

To get some more structure, we name some special types of extensions, called 
relaxed, semi-relaxed, strong, strict, which are defined as follows: 

— Xtn is of type relaxed if it is the extension of A that specifies ActIn = 
ActOut = Naive^Pat) for all Pat, i.e., there is no security for naive 
parties. 

— Xtn is of type semi-relaxed if it is the extension of A that specifies ActIn = 
0, ActOut = Naive \ Act, PasIn = Naive \ Pas, PasOut = Naive \ 
Pas. I.e., the honest-but-na'ive parties are guaranteed that their inputs are 
contributed correctly to the computation. They are however not guaranteed 
to receive correct outputs nor any privacy of their inputs or their outputs. 

— Xtn is of type strong if it is the extension of A that specifies ActIn = 
ActOut = 0, PasIn = PasOut = Naive^Pat), i.e., naive parties have 
no privacy but may contribute their inputs and get correct results. 

— Xtn is of type strict if it is the extension of A that specifies Xtng(PAT) = 
(0, 0, 0, 0), i.e., there is full security for naive parties. 

If ATK is one of relaxed, semi-relaxed, strong, strict, we call 7r an ATK 
A-secure implementation of T if n is an Xtn-secure implementation of T toler- 
ating A, where Xtn is the extension of A of type atk. Also, if 7 r makes use of 
functionality Q, we say that Q is an atk functionality if the extension 7 r assigns 
to Q is of type atk. 

The following composition theorem is an immediate corollary to Theorem 0 

Corollary 1. Let ATK, Atk' £ { relaxed , semi-relaxed, strong, strict}. If n 
is an atk A-secure implementation of T , where Q £ n is an atk' functionality, 
and 7 is an atk ’ A-secure implementation ofQ, then 7 r[ 7 /(?] is an atk A-secure 
implementation of IF. 

Note that the notion of semi-relaxed security as defined here is equivalent to the 
notions sender-independent validity and dealer-independent correctness in Sec- 
tion 0 Indeed, defining broadcast and VSS by requiring a semi-relaxed secure 
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implementation of a corresponding ideal functionality would define exactly these 
notions. 

To see the connection between symmetric security and our notions of asym- 
metric security, let A be the aggregate adversary structure modeling that all 
parties trust that at most t parties will be corrupted, and let n be a protocol 
using only strict functionalities. In this case the simulator is given no extra cor- 
ruption when at most t parties are corrupted, as all parties are foreseeing. So, as 
long as at most t parties are corrupted, relaxed, semi-relaxed, strong and strict 
A-security are equivalent to the usual UC t-security. If however more than t 
parties are corrupted, then all honest parties are na'ive, meaning e.g. that strong 
security allows the simulator to see the inputs and outputs of all parties, and 
relaxed security allows the simulator to specify the inputs and outputs of all 
parties. So, when more than t parties are corrupted, strong A-security gives no 
guarantees on the privacy of any party but still guarantees correctness for the 
honest-but-nai've parties, and relaxed A-security gives no guarantees at all. Note 
that giving no guarantees at all when more than t parties are corrupted is equiv- 
alent to normal t-security, where simulation is only required for environments 
corrupting at most t parties. Therefore relaxed security is a generalization of 
normal (symmetric) UC security, and strong security is a strengthening. 

4 Multi-Party Computation in the UC Framework 

In this section we first formalize the notion of secure multi-party computation 
in the UC framework where the parties have asymmetric trust in each other. 
In Section l‘2.. 31 we already informally looked at this case in the secure-channels 
model. In Section 14.21 we look at a setting where a number of certificate au- 
thorities (or common reference strings) are present and where the parties have 
asymmetric trust in these certificate authorities (or common reference strings). 

4.1 Secure Function Evaluation 

For simplicity we focus on secure function evaluation (SFE). SFE of f(xi , . . . , x n ) 
can be expressed as securely evaluating the ideal functionality .Fg FE f° r secure 
function evaluation of /. Essentially Fl FE takes an input Xi from each p i: com- 
putes [yi, . . . , y n ) = f(xi , . . . , x n ) and outputs y t securely to p t . We call 7 r an 
A SFE w/ full relaxation of / if 7T is a relaxed A-secure implementation of 
•^sfe- We call 7r an A SFE w/ contributor-independent correctness of / if 7r is a 
semi-relaxed A-secure implementation of Ag FE . For concreteness we flesh out 
these notions below. 

Definition 6 (SFE w/ full relaxation). The simulator has the following extra 
powers: 

Input Secrecy: Ifpi is honest and F 0 A* or pi is corrupt, then the simulator 
sees Xi . If party pi is honest and F £ A* then the simulator is not shown Xi. 
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Input Correctness: If pi is honest and F A, or pi is corrupt, then the 
simulator can replace Xi by some x\. After this, the outputs (yi, . . . ,y n ) = 
f(x [, . . . , x' n ) are computed, where x\ = Xi for all honest pi with F £ Ai. 
Output Secrecy: If pi is honest and F $ Ai or pi is corrupt, then the sim- 
ulator sees yi . If party Pi is honest and F £ Ai then the simulator is not 
shown yi. 

Output Correctness: If pi is honest and F 0 Ai or pi is corrupt, then the 
simulator can replace yi by some y\. After this, ^sf E outputs y[ on behalf of 
Pi, where y\ = yi for all honest pi with F £ Ai- 
Robustness: Robustness is best expressed as a condition on the protocol (as 
opposed to the simulation), by requiring that all honest parties compute an 
output, i.e., no honest party aborts the protocol. Alternatively, one can require 
this only for the foreseeing parties, getting weak robustness. o 

Definition 7 (SFE w/ contributor-independent correctness). The sim- 
ulator has the following extra powers (listing only differences from Definition^): 

Input Correctness: If pi is corrupt, then the simulator can replace by 
some x\. After this, the outputs (yi,..., y n ) = f{x'i ■ ■ • ■ , x' n ) are computed, 
where x\ = x^ for all honest p^. o 

These notions can be generalized to MPC w/ full relaxation and MPC w/ 
contributor-independent correctness by requiring a relaxed (semi-relaxed) A- 
secure implementation of a more general ideal functionality T . 

4.2 With Asymmetrically Trusted Setup 

We now consider a setting where some setup is given. We focus on UC security, 
where setup is needed when there is no trust among the parties. We consider 
two setup assumptions which have been studied previously: common reference 
string (CRS) and key registration (KR) , and we generalize the study to consider 
asymmetric trust. Here, we only cover the KR case whereas the CRS case is 
treated in the full version of the paper, using similar techniques. 

Key Registration. In |T] Barak et al. gave a feasibility result for UC secure 
MPC in a network which had a key registration service Tkr which allows a user 
Ui to register a public key phi while checking that C/j knows a corresponding 
secret key. We extend this analysis of the power of key registration by analyzing 
a setting where there are several key registration services (KRS’s) in which the 
users have different partial trust. For completeness we also assume that the 
users have different, partial trust in each other. We characterize the aggregate 
adversary structures which allow to securely compute any ideal functionality in 
this setting. We consider the same type of security as in |Tl6l : polynomial time 
security and the protocol is only required to deliver outputs if all parties are 
honest. This is modeled by allowing the simulator to decide when and if honest 
outputs from T to Z are delivered in 
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We model the KRS’s as parties KR = { KR k }. We then add n users U = 
{U\, . . . , U n } , making the party set V = ICR. U U. The users are the parties 
which want to compute some ideal functionality Tu among theinQ We also 
add a strict functionality for authenticated, asynchronous point-to-point com- 
munication among the users and between the users and the KRS’s, and we 
add a strict functionality for secure, asynchronous point-to-point communica- 
tion among the users 0 Finally we need that each user can give a proof of pos- 
session (PoP) of the secret key when it registers a public key. For this purpose 
we postulate an ideal functionality VOV. Let gen be the generator pk = gen(r) 
used to generate public keys (we can wlog assume that the randomness r con- 
stitutes the private key). We assume that VOV behaves as follows: On input 
( Ui,KR k ,ri ) from Ui, output (Ui, KR k ,pki = gen(rj)) to KR k . This models 
that Ui gives phi to KR k and then somehow proves knowledge of such that 
pkt = gen(r-i). 

By Ui registering a public key at KR. k we then mean that U t samples a 
random public key pki <— gen(r,) and inputs (Ui, I< R k , n) securely to VOV. The 
honest behavior of each KR k is as follows: The first time it sees VOV output 
(Ui, KRk, pki) for Ui it sends (Ui,KR k ,pki) to all users Uj using authenticated 
point-to-point communication. 

Since the behavior of KR k is fixed and the behavior of VOV is given by gen, 
we specify a protocol by tt = (gen, U\, . . . , U n ). For convenience we assume that 
each Ui starts the protocol by registering some pki, k with each KR k . Then Ui 
waits for each KR. k to send some pkj )k for each Uj G U and stores all these keys. 
After this registration phase the users then proceed to run the actual protocol. 
We can therefore in the specification of pi assume that it knows the keys pkkj- 
We call such a n = (gen, U\,..., U n ) a KR-protocol. 

As for trust, we consider only active corruptions, so that Pat = (Act, Act) 
for all patterns. We therefore write Act g A and consider A G 2 V . We associate 
no trust to the KRS’s. That is, we assume that Akr h = 2 V for each KRS. 
To each Ui we associate a corruption structure Ai C 2 V . We call (Ai, . . . , A n ) 
complete for the KR setting if it allows to securely compute any efficient ideal 
functionality Tu among the users using a KR protocol. 

For AcTj G Ai we let Acrf = Act* ri U and Ac'rf K = Act* n KR. We 
say that two users U ^ Uj are KR connected if it holds for all AcTj G Ai and 
Aci’j G Aj that either Ac r i’f K ^ KR or Act^ k ^ KR or Acrrf U Ac/Vj ± U. 
That is, together, Ui and Uj cannot imagine a scenario where both of them think 
that all KRS’s might be corrupted and where together they think all users might 
be corrupted. 


4 We say that T-p* is among V' if it ignores p,;-input.s for V \V' and gives no p,-outputs 
for V\V'. 

5 Since secure, asynchronous point-to-point communication has a normal UC secure 
implementation given authenticated channels and several standard complexity as- 
sumptions, this strict ideal functionality can be replaced with any such implemen- 
tation to get an equivalent model with only authenticated communication, using 
Corollary QJ 
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Theorem 9. An aggregate adversary structure A = (Mi, ■ ■ . , A n ) is complete 
for the KR setting iff all pairs of distinct users are KR connected in A. 

The proof of Theorem 0 is given in the full version of the paper. A special case 
of Theorem 0 is when the users have no trust in each other ( Af = U for all Uf) 
in which case the condition can be phrased as: There exists at most one user 
who thinks that all KRS’s can be corrupted. 

5 Conclusion 

We proposed a notion of asymmetric trust in protocol security and gave a general 
definition of asymmetric secure MPC and gave specialized definitions of asym- 
metric secure broadcast, VSS, and SFE. We explored the feasibility of broadcast, 
YSS, and MPC in various models with asymmetric trust. A tight characteriza- 
tion of the feasibility of broadcast has been found for asymmetric trust, and 
nontrivial upper and lower bounds for VSS, and we have shown how to tolerate 
strictly stronger adversaries in MPC than with symmetric trust. It is an open 
problem to completely characterize the aggregate adversary structures that allow 
for MPC in the case with active adversaries and no set-up. 
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Abstract. Secure multi-party computation (MPC) allows a set of n 
players to securely compute an agreed function of their inputs, even 
when up to t players are under the control of an adversary. Known asyn- 
chronous MPC protocols require communication of at least i?(n 3 ) (with 
cryptographic security), respectively i?(n 4 ) (with information-theoretic 
security, but with error probability and non-optimal resilience) field ele- 
ments per multiplication. 

We present an asynchronous MPC protocol communicating 0(n 3 ) 
field elements per multiplication. Our protocol provides perfect security 
against an active, adaptive adversary corrupting t < n/4 players, which 
is optimal. This communication complexity is to be compared with the 
most efficient previously known protocol for the same model, which re- 
quires l?(n 5 ) field elements of communication (i.e., !2(n 3 ) broadcasts). 
Our protocol is as efficient as the most efficient perfectly secure protocol 
for the synchronous model and the most efficient asynchronous protocol 
with cryptographic security. 

Furthermore, we enhance our MPC protocol for a hybrid model. 
In the fully asynchronous model, up to t honest players might not be 
able to provide their input in the computation. In the hybrid model, 
all players are able to provide their input, given that the very first 
round of communication is synchronous. We provide an MPC protocol 
with communicating 0(n 3 ) field elements per multiplication, where all 
players can provide their input if the first communication round turns 
out to be synchronous, and all but at most t players can provide their 
input if the communication is fully asynchronous. The protocol does 
not need to know whether or not the first communication round is 
synchronous, thus combining the advantages of the synchronous world 
and the asynchronous world. The proposed MPC protocol is the first 
protocol with this property. 
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ficiency, perfect security. 
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1 Introduction 

1.1 Secure Multi-Party Computation 

Secure multi-party computation (MPC) enables a set of n players to securely 
evaluate an agreed function of their inputs even when t of the players are cor- 
rupted by a central adversary. A passive adversary can read the internal state 
of the corrupted players, trying to obtain information about the honest players’ 
inputs. An active adversary can additionally make the corrupted players deviate 
from the protocol, trying to falsify the outcome of the computation. 

The MPC problem dates back to Yao IYao82l . The first generic solutions pre- 
sented in IGMW87I l(.T)(187l Kill Y S7| (based on cryptographic intractability as- 
sumptions) and later |B(;W88I KX1D88I IB.B89I IBeahlj (with information-theoretic 
security) assume the existence of a synchronous network. Synchronous networks 
assume that there is a global clock, and the delay of any message in the network 
is bounded by a constant. Such networks do not well model real-life networks 
like the internet. 

1.2 Asynchronous Networks 

In asynchronous networks, messages are delayed arbitrarily. As worst-case 
assumption, the adversary is given the power to schedule the delivery of mes- 
sages. Asynchronous communication models real-world networks (like the In- 
ternet) much better than synchronous communication. However, protocols for 
asynchronous networks are much more involved than their synchronous counter- 
parts. This comes from the fact that when a player does not receive an expected 
message, he cannot decide whether the sender is corrupted (and did not send 
the message at all) or the message is just delayed in the network. 

This implies also that in fully asynchronous settings it is impossible to consider 
the inputs of all uncorrupted players. The inputs of up to t (potentially honest) 
players have to be ignored, because waiting for them could turn out to be endless. 

For a good introduction to asynchronous protocols, see |(Jan95| . Due to its 
complexity, asynchronous MPC has attracted much less research than syn- 
chronous MPC. The most important results on asynchronous MPC are |B( X493I 
IBK K94I RTTHTil IPSB021 IH N P()5j . 

In the asynchronous setting perfect information-theoretic security against an 
active adversary is possible if and only if t < n/4 (whereas cryptographic and 
unconditional security are possible if and only if t < n/ 3). 

1.3 Communication Complexity of MPC Protocols 

The first proposed MPC protocols secure against active adversaries were very in- 
efficient and so of theoretical relevance mainly. In the recent years lots of research 
concentrated on designing protocols with lower communication complexity (mea- 
sured in bits sent by honest players) . The currently most efficient MPC protocols 
for the synchronous model are |HMP()()| (perfect security with t < n/3, 0(n 3 ) 
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communication per multiplication), [IJlN()7j (information-theoretic security with 
t < n/ 3, 0(n) communication per multiplication), |BH()fij (information-theoretic 
security with t < n/2, communicating 0{n 2 ) per multiplication), |HJ\I()6| 
(cryptographic security with t < n/2, communicating 0{n) per multiplication) . 

However known MPC protocols for asynchronous networks still feature (un- 
practically) high communication complexities. The most efficient asynchronous 
protocol is the one of |H N P()5j communicating 0(n 3 ) per multiplication 
while providing cryptographic security only. The most efficient information- 
theoretically secure protocols were proposed in lPSH.02j . Both protocols 

are secure against an unbounded adversary corrupting up to t < n/4 players. 
The first one makes extensive use of the (communication-intensive) BA primitive 
- 0(n 2 ) invocations per multiplication, which amounts to (2(n 5 bits of com- 
munication per multiplication. The second one requires only 0(n 2 ) invocations 
to BA in total, however, still communicates 0(n 4 ) bits per multiplication, and 
provides unconditional security only (for which t < n/4 is not optimal). 

1.4 Contributions 

Known MPC protocols for the asynchronous setting suffer from two main dis- 
advantages in contrast to their more restrictive synchronous counterparts, both 
significantly reducing their practicability: Asynchronous protocol tend to have 
substantially higher communication complexity, and they do not allow to take 
the inputs of all honest players. In this work, we propose a solution to both these 
problems. 

First, we present an perfectly secure asynchronous MPC protocol that com- 
municates only 0(n 3 ) field elements per multiplication. This very same com- 
munication complexity is also required by the most efficient known perfectly 
secure protocol for the synchronous model [HMPOOj . as well as by the most ef- 
ficient asynchronous protocol only secure against computationally bounded ad- 
versaries |HNP()5j . The protocol provides perfect security against an unbounded 
adaptive active adversary corrupting up to t < n/4 players, which is optimal. In 
contrast to the previous asynchronous protocols, the new protocol is very simple. 

Second, we extended the protocol for a hybrid communication model (with the 
same security properties and the same communication complexity), allowing all 
players to give input if the very first round, of the communication is synchronous, 
and takes at least n — t inputs in a fully asynchronous setting. It is well-known 
that fully asynchronous protocols cannot take the inputs of all players; however, 
we show that a single round of synchronous communication is sufficient to take 
all inputs. We stress that it is important that this round is the first round, 
because assuming the fc-th round to be synchronous implies that all rounds up 
to k must also be synchronous. Furthermore, the protocol achieves the best of 
both worlds, i.e., takes the inputs of all players when indeed the first round 
is synchronous, and still takes the inputs of at least n — t players even if the 
synchronity assumptions cannot be fulfilled. More precisely, the protocol takes 


The most efficient known asynchronous BA protocol requires (fin 3 ). 
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the inputs of at least n — t players, and additionally, always takes the inputs of 
players whose first-round messages are delivered synchronously. 

2 Preliminaries 

2.1 Model 

We consider a set V of n players, V = {Pi, . . . , P n }, which are connected with a 
complete network of secure (private and authentic) asynchronous channels. The 
function to be computed is specified as an arithmetic circuit over a finite field T = 
Z p (with p > n), with input, addition, multiplication, random, and output gates. 
We denote the number of gates of each type by ci,ca, cm, cr, and co, respectively. 

The faultiness of players is modeled in terms of a central adversary corrupting 
players. The adversary can corrupt up to t players for any fixed t with t <n/ 4, 
and make them deviate from the protocol in any desired manner. The adversary 
is computationally unbounded, active, adaptive, and rushing. Furthermore, in 
order to model the asynchronism of the network, the adversary can schedule 
the delivery of the messages in the network, i.e., she can delay any message 
arbitrarily. In particular, the order of the messages does not have to be preserved. 
However, every sent message will eventually be delivered. 

The security of our protocols is perfect, i.e., information-theoretic without 
any error probability. 

2.2 Design of Asynchronous MPC Protocols 

Asynchronous protocols are executed in steps. Each step begins by the sched- 
uler choosing one message (out of the queue) to be delivered to its designated 
recipient. The recipient is activated by receiving the message, he performs some 
(internal) computation and possibly sends messages on his outgoing channel 
(and waits for the next message). 

The action to be taken by the recipient is defined by the relevant sub-protocofl 
consisting of a number of instructions what is to be done upon receiving a spec- 
ified message. If the received message refers to a sub-protocol which is not yet 
“in execution” , then the player keeps the message until the relevant sub-protocol 
is invoked. 

2.3 Partial Termination 

Many “asymmetric” tasks with a designated dealer (broadcast, secret-sharing) 
cannot be implemented with guaranteed termination in an asynchronous world; 
the players cannot distinguish whether the dealer is corrupted and does not start 
the protocol, or the dealer is correct but his messages are delayed in the network. 
Hence, these protocol are required to terminate only if the dealer is correct. 
However, we require that if such a sub-protocol terminated for one (correct) 
player, then it must eventually terminate for all correct players. 

2 We assume that for each message it is clear to which sub-protocol it belongs. 
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The issue with partial termination is typically attacked by invoking n in- 
stances of the protocol with partial termination in parallel, every player acting 
as dealer in one instance. Then, every player can wait till n — t instances have 
terminated (from his point of view). In order to reach agreement on the set of 
terminated instances, a specialized sub-protocol is invoked, called agreement on 
a core-set. A player can only be contained in the core-set if his protocol instance 
has terminated for at least one honest player, and hence will eventually terminate 
for all honest players. The core-set contains at least n — t players. 

2.4 Input Provision 

Providing input is an inherently asymmetric task, and it is not possible to dis- 
tinguish between a corrupted input player who does not send any message and a 
correct input player whose messages are delayed in the network. For this reason, 
in a fully asynchronous world it is not possible to take the inputs of all players; 
up to t (possible correct) players cannot be waited for, as this waiting could turn 
out to be endless. Hence, the protocol waits only till n — t of the players have 
achieved to provide input, and then goes on with the computation. 

2.5 Byzantine Agreement 

We need three flavors of Byzantine agreement, namely broadcast, consensus, and 
core-set agreement. 

The broadcast (BC) primitive allows a sender to distribute a message among 
the players such that all players get the same message (even when the sender 
is corrupted), and the message they get is the sender’s message if he is honest. 
As explained above, broadcast cannot be realized with complete termination; 
instead, termination of all (correct) players is required only when the sender is 
correct; however, as soon as at least one correct player terminates, all players 
must eventually terminate. Such a broadcast primitive can be realized rather 
easily |Bra84j . The required communication for broadcasting an £-bit message is 
0(n 2 £), where the hidden constant is small. 

Consensus enables a set of players to agree on a value. If all honest players 
start the consensus protocol with the same input value v then all honest players 
will eventually terminate the protocol with the same value v as output. If they 
start with different input values, then they will eventually reach agreement on 
some value. All known i.t. -secure asynchronous consensus protocols start by 
having every player broadcast his input value, which results to communication 
complexity f2(n 3 £), where £ denotes the length of the inputs. 

Agreement on a core set (ACS) is a primitive presented in |B(JG93| . We use 
it to determine a set of at least n — t players that correctly shared their values. 
More concretely, every player starts the ACS protocol with a accumulative set of 
players who from his point of view correctly shared one or more values (the share 
sub- protocol in which they acted as dealers terminated properly). The output 
of the protocol is a set of at least n — t players, who really correctly shared 
their values, which means that every honest player will eventually get a share of 
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every sharing dealt by a dealer from the core set. The communication cost of a 
ACS protocol are essentially the costs of n invocations to consensus (where the 
messages are index of players), i.e. l?(n 3 4 log n) bits. 

2.6 Super-Invertible Matrices 

We consider r-by-c matrices M over a field T . When r = c, M is called invertible 
if all column- vectors are linearly independent. When r < c, M is called super- 
invertible if every subset of r column-vectors are linearly independent. 

Formally, for an r-by-c matrix M and an index set C C {1, . . . , c}, we denote 
by Me the matrix consisting of the columns i € C of M. Then, M is super- 
invertible if for all C with \C\ = r, Me is invertible. 

Super-invertible matrices over T can be constructed as follows: Fix c disjoint 
elements «i, . . . , a e € F, and for i = 1 , r, let /,;(•) be a polynomial of degree 
at most r - 1 with /*(«*) = 1 and fi(aj) = 0 for j € {1, . . . ,r} \ {i}. Then, 
M = {rriij = fi(aj)}. M is super-invertible because is invertible (it is 

the identity matrix), and any Me for C C {1, . . . , c}, |C| = r can be mapped 
onto r y using an invertible matrix given by Lagrange interpolation. 

Super-invertible matrices are of great help to extract random elements from a 
set of some random and some non-random elements: Consider a vector (x\ , . . . , x c ) 
of elements, where for some C C {1, . . . , c} with \C\ = r, the elements {xi}i e c 
are chosen uniformly at random (by honest players), and the elements {xj}jgc 
are chosen maliciously (by corrupted players). Then, the vector (m, . . . ,y r ) = 
M{x i, . . . , x c ) is uniformly random and unknown to the adversary^ 

This means that given a super-invertible matrix and a set of c elements out 
of which at least r elements are chosen uniformly at random (and unknown to 
the adversary), we can generate r uniformly random elements (unknown to the 
adversary). 

3 Protocol Overview 

The new protocol proceeds in three phases: the preparation phase, the input 
phase and the computation phase. Every honest player will eventually complete 
every phase. 

In the preparation phase many sharings of random values will be generated in 
parallel. For every multiplication gate, 3t + 1 random sharing will be generated. 
For every random gate, one random sharing will be generated. 

In the input phase the players share their inputs and agree on a core set of 
correctly shared inputs (every honest player will eventually get a share of every 
input from the core set). 

In the computation phase, the actual circuit will be computed gate by gate, 
based on the core-set inputs. Due to the linearity of the used secret-sharing, the 

3 This follows from the observation that the c — r maliciously chosen elements {xj}jgc 

define a bijection from the r random elements {si}iec onto (yi, , y r ). 
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linear gates can be computed locally - without communication. Each multipli- 
cation gate will be evaluated with the help of 3i + 1 of the prepared sharings. 

4 Secret Sharing 

4.1 Definitions and Notations 

As secret-sharing scheme, we use the standard Shamir scheme |Sha79J : We say 
that a value s is d-shared if every correct player P; is holding a share Sj of s, 
such that there exists a degree-d polynomial p(x) with p(0) = s and p(i) = s* 
for alii = 1 ..... n. We call the vector (si, . . . , s n ) of shares a d-sharing of s. A 
(possibly incomplete) set of shares is called d-consistent if these shares he on a 
degree d polynomial. 

Most of our Sharings will be t-sharings (where t denotes the maximum number 
of corrupted players). We denote a i-sharing of s by [s]. In the multiplication 
sub-protocol, we will also use 2 t-sharings, which will be denoted by [[.s]]. 

4.2 Sharei and Recons — The Vanilla Protocols 

In the following, we recap the Sharei and Recons protocol of |B(X3)3l Fl Sharei 
allows a dealer P R to t-share a secret value s e T. Recons allows the players 
to reconstruct a d-sharing (for d < 2 1) towards a receiver P R . We stress that 
the protocol Sharei does not necessarily terminate when the dealer P D is cor- 
rupted. However, when it terminates for some correct player, then it eventually 
terminates for all players. The protocol Recons always terminates. 

The intuition behind the protocol Sharei is the following: In order to share 
a secret s, the dealer chooses a random two-dimensional polynomial /(•,•) with 
/(0,0) = s, and sends to every player Pi the polynomials gi(-) = f(i, •) and 
hi(-) = /(•,*). Then the players pairwisely check the consistency of the received 
polynomials, and publicly confirm successful checks. Once n — t players are mu- 
tually consistent, the other players use the checking points received from these 
players to determine their respective polynomial gi(-), and all players compute 
the share s, = <?j(0). 

Protocol Sharei (Dealer Pn, secret s G T) 

• Distribution — Code for Dealer P d : Choose a random two- 
dimensional degree- 1 polynomial /(•,•) with /(0,0) = s and send to each 
player Pj the two degree-t polynomials (ji{-) = f(i, •) and /!,,;(•) = /(•,*). 

• Consistency Checks — Code for player Pp. 

1. Wait for <^(-) and hi(-) from P D . 

2. To each player Pj send the share-share Sji = h t (j ) . 

3. Upon receiving sp from Pj check whether sp = gi(j). If so broadcast 
(ok, i,j). 

4 We denote their sharing protocol by Sharei, as it allows to share only one single 
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• Output-computing — Code for Player Pi : 

1 . Wait until there is a (n — t)-clique in the graph implicitly defined by the 
broadcasted confirmations^ 

2. Upon receiving at least 2t + 1 t-consistent share-shares sy (for j G 

{1, from the players in the clique, find the interpolation poly- 

nomial gi(-) and (re) compute your share s* = <?i(O)0 

3. Output the share S{. 

Lemma 1. For every coalition of up to t bad players and every scheduler, the 
protocol Sharei achieves the following properties: 

— Termination: If the dealer is correct, then every correct player will eventually 
complete Sharei, and if some correct player has completed Sharei, then all 
the correct players will eventually complete Sharei. 

— Correctness: Once a correct player has completed Sharei, then there exists a 
unique value r which is t-shared among the players, where r = s if the dealer 
is correct. 

— Privacy: If the dealer is correct, then the adversary obtains no information 
about the shared secret. 

The communication complexity of Sharei is 0(n 2 n + n 2 BC(n)). 

The intuition behind the protocol Recons is the following: Every player P, sends 
his share to Pr. The receiver waits until receiving at least d+t+1 d-consistent 
shares and outputs the value of their interpolation polynomial at 0. Note that 
corrupted players can send false shares to Pr, but for the latest when Pr has 
received the shares of all honest players, he has at least n — t > d+t+1 
t-consistent shares (for t <n/ 4 and d < 2t). 

Protocol Recons (Receiver Pr, degree d, d-sharing of s ) 

• Code for player 1\: Send s* to Pr. 

• Code for receiver Pr: Upon receiving at least d + t+1 d-consistent 
shares Sj (and up to t inconsistent shares), interpolate the polynomial p(-) 
and output s = p( 0). 

Lemma 2. For any d-shared value s, where d + 2t < n, for every coalition of 
up to t bad players, and for every scheduler, the protocol Recons achieves the 
following properties: 

— Termination: Every correct player will eventually complete Recons. 

— Correctness: Pr will output s. 

— Privacy: When Pr is honest, then the adversary obtains no information 
about the shared secret. 

The communication complexity of the protocol Recons is 0(nn). 

Note that for f < n/4, Recons can be used to reconstruct t-sharings as well as 
2t-sharings. However, the protocol Sharei can only generate t-sharings. 

6 The graph has n nodes representing the n players and there is an edge between i 
and j if and only if both (ok, i, j) and (ok, j, i) were broadcasted. 

6 If the dealer is correct or if Pi is a member of the clique <?,;(•) = ]},:(■)■ 
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Proofs of security as well as details on solving the clique-problem in Sharei 
(respectively, reducing it to a computationally simpler problem) and on find- 
ing (and interpolating) d + t + 1 d-consistent shares in Recons, can be found 
in |KC(;H3| . 


4.3 Share*: Sharing Many Values at Once 

The following protocol Share* extends the protocol Sharei in two ways: First, it 
allows the dealer to share a vector (sh), . . . , s®) of £ secrets at once, substan- 
tially more efficient than £ independent invocations of Sharei. Secondly, Share* 
allows to share “empty” secrets, formally s ^ =_L, resulting in all shares of 
being _L as well. This will be used when a dealer should share an unknown value. 

Protocol Share* (Dealer P D , secrets (sW,...,s®) G (PU{_L})^) 

• Distribution — Code for Dealer P d : For every s ^ ^_L, choose a 

random two-dimensional degree-t polynomial /®(-, •) with f^ (0, 0) = s^ k \ 
Send to every Pi the polynomials . . . ,gf\ hf' 1 ), where g^\-) = 

/(*%•) and hf\-) = / (fe) (',*) if s (fe) € P, and gi k) = h\ k) =± if a (fc) =T. 

• Consistency Checks — Code for player P,: 

1. Wait for . . . , gf\ hf ] ) from P D . 

2. To each Pj send (s^,...,s^), where Sjf = resp. sffi if 

h {k) =A* 

3. Upon receiving . . . , s-^) from Pj, broadcast (ok, i,j) if for all k = 
1, ... ,1 it holds that = gf^ij), resp. =T= g^ k \ 

• Output-computing — Code for Player P, -. 

1. Wait until there is a (n— t)-clique in the graph defined by the broadcasted 
confirmations. 

2. For k = upon receiving at least 2f + 1 f-consistent share-shares 

(for j G {1, . . . , n}) from the players in the clique, find the interpo- 
lation polynomial and (re)compute the share = g\ k \ 0). Upon 

receiving 2t + 1 values affi =± (for j G {1, . . . , n}), set s\ k ^ =_L. 

3. Output the shares (s^, . . . , s^). 

Lemma 3. The protocol Share* allows Pd to share i secrets from P U {T} at 
once, with the same security properties as required in Lemma 0 The communi- 
cation complexity of Share* is 0(£n 2 n + n 2 BC(n)). 

5 Preparation Phase 

The goal of the preparation phase is to generate t-sharings of £ uniformly random 
values rW , . . . , , unknown to the adversary, where l will be cjvr(3t + 1) + cr. 

The idea of the protocol Preparation Phase is the following: First, every player 
acts as dealer in Share* to share a vector of (! = \£/{n — 2 t)"| random values. 
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Then the players agree on a core set of n — t correct dealers (such that their 
Share* protocol was completed by at least one honest player). This results in 
n — t vectors of £' correct t-sharings, but up to t of these vectors may be known 
to the adversary (and may not be random). Then, these n — t correct vectors 
are compressed to n — 2t correct random vectors, unknown to the adversary, by 
using a (n — 2f)-by-(n — t) super-invertible matrix (applied component- wise) . 
This computation is linear, hence the players can compute their shares of the 
compressed sharings locally from their shares of the original sharings. 

Protocol Preparation Phase (£) 

Code for player P t : 

• Secret Sharing 

• Act as a dealer in Share* to share a vector of l' = \l/(n — 2 1)] random 
values 

• For every j = 1, . . . , n, take part in Share* with dealer Pj, resulting in the 
shares (sp } , . . . , 

• Agreement on a Core Set 

1. Create an accumulative set C* = 0. 

2. Upon completing Share* with dealer Pj, include Pj in C\. 

3. Take part in ACS with the accumulative set Ci as input. 

• Compute Output (local computation) 

1. Wait until ACS completes with output C. For simple notation, assume 
that {P L ,.,.,P n _t} C C. 

2. For every k G P}, the (n — 2f) t-shared random values, 

unknown to the adversary, are defined as (r^ 1,fc \ . . . , j-(” -2 h fe )) = 
M (s^’U, . . . , s (n-t,k)\ w here M denotes a (n — 2t)-by-(n — t ) super- 
invertible matrix, e.g., constructed according to Section 12. (il Compute 
your shares (r^ 1 , . . . ,r| ra_2t ’ fc ^) accordingly. Denote the resulting £'(n — 

2t) > £ sharings as [r^], . . . , [r^]. 

Lemma 4. Preparation Phase (eventually) terminates for every honest player. It 
outputs independent random sharings of £ secret, independent, uniformly random 
values r^l), . . . ,r^\ Preparation Phase communicates 0(£n 2 K+n 3 BC(hi)) bits and 
requires one invocation to ACS. 

6 Input Phase 

In the InputPhase protocol every player Pi acts as a dealer in one Share* protocol 
in order to share his input s, 0 However the asynchronity of the network does not 
allow the players to wait for more than n — t Share*-protocols to be completed. 
In order to agree on the players whose inputs will be taken into to computation 
one ACS protocol is run. 

7 Si can be one value or an arbitrary long vector of values from T . 
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Protocol InputPhase (Every Pj has input Sj) 

Code for player P t : 

• Secret Sharing 

• Share your secret input Sj with Share*. 

• For every j = 1, . . . , n take part in Share* with dealer Pj. 

• Agreement on a Core Set 

1. Create a accumulative set C t = 0. 

2. Upon completing Share* with dealer Pj, include Pj in C t . 

3. Take part in ACS with your accumulative set Cj as your input. 

4. Output the agreed core set C and your outputs of the Share* protocols 
with dealers from C. 

Lemma 5. The InputPhase protocol will (eventually) terminate for every honest 
player. It enables the players to agree on a core set of at least n — t players who 
correctly shared their inputs - every honest player will (eventually) complete the 
Share* protocol of every dealer from the core set (and get the correct shares of 
his shared input values). InputPhase communicates 0(cin 2 k + n 3 BC(n)) bits and 
requires one invocation to ACS. 

7 Computation Phase 

In the computation phase, the circuit is evaluated gate by gate, whereby all 
inputs and intermediate values are shared among the players. As soon as a 
player holds his shares of the input values of a gate, he joins the computation of 
the gate. 

Due to the linearity of the secret-sharing scheme, linear gates can be computed 
locally simply by applying the linear function to the shares, i.e. for any linear 
function /(•,•), a sharing [c] = [f(a,b)] is computed by letting every player Pi 
compute Cj = /(aj,bj). With every random gate, one random sharing (from 
the preparation phase) is associated, which is directly used as outcome of the 
random gate. With every multiplication gate, 3t + 1 random sharings (from 
the preparation phase) are associated, which are used to compute a sharing of 
the product as described in the protocol Multiplication. 

Protocol Computation Phase ((3t + 1 )cm # cr random sharings 

For every gate in the circuit — Code for player Pj: 

1 . Wait until you have shares of each of the inputs 

2. Depending on the type of the gate, proceed as follows: 

• Linear gate [c] = f([a], [6], . . .): compute your share c, as Cj = /(a,, 6,, . . .). 

• Multiplication gate [c] = [a] [b] : participate in protocol 

Multiplication^], [6], [r®], . . . , [r^ 3t+1 ^]), where [r®], . . . , [r4 3t+1 )] denote 
the 3f + 1 associated random sharing. 
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• Random gate [r]: set your share r,; = rj k \ where [r^- 1 ] denotes the asso- 
ciated random sharing. 

• Output gate [a] — » Pr: participate in Recons {Pr,cI = t, [a]). 

In order to compute multiplication gates, we use the approach of of IDN0 7:: 
First, the players jointly generate a secret random value s, which is both t-shared 
(by [s]) and 2t-shared (by [[s]]). These sharings can easily be generated based on 
the 3t + 1 t-sha, rings associated with the multiplication gate. Then, every player 
locally multiplies his shares of a and ft, resulting in a 2t-sharing of the product 
c = ab, i.e., [[c]]. Then, the players compute and reconstruct [[c— s]], resulting 
in every player knowing d = c — s, pick a default t-sharing [d], and (locally) 
compute [c] = [d\ + [s], the correct product [aft]. 


Protocol Multiplication ([a], [ft], [r^j, . . . , [r^ 3t+1 )]) 

Code for player P t : 

1 . Prepare [s] : The degree-t polynomial p(-) to share s is defined by the shared 

coefficients r^°\r^ , ... ,r^ . For every Pj , a sharing of his share Sj = p(j) is 
defined as [s^] = [r^ 0 )] + [r^]j + . . . + Invoke Recons (Pj,d = t, [s.,-]) 

to let Pj learn his degree-t share Sj. 

2. Prepare [[«]] : The degree-2f polynomial //(•) to share s is defined by the 
shared coefficients r^-°\r^ t+1 \ . . . , r^ 3t \ For every Pj, a sharing of his share 
s 'j = P'(j) is defined as [s'] = [r^ 0 )] + [r( t+1 )]j + . . . + [r^]j 2t . Invoke 
Recons(Pj, d = t, [s']) to let Pj learn his degree-2f share s'-. 

3. Compute [ab]: 

1. Compute your degree- 2f share of c = oh as Cj = a,; 6,;, resulting in [[c]]. 

2. For every j = 1, . . . , n, invoke Recons (Pj, d = 2 1, ([[c]] — [[s]])), resulting 
in every Pj knowing d = c — s. 

3. Define [d] as default sharing of d, e.g., the constant degree-0 polynomial. 

4. Compute [c] = [d\ + [s]. 


Lemma 6. The protocol Multiplication (eventually) terminates for every hon- 
est player. Given correct sharings [a], [6], [r^], . . . , [r^ 3t+1 ^] as input, it outputs 
a correct sharing [aft]. The privacy is maintained when ([r^], • • • , [r^ 3t+1 ^]) are 
sharings of random values unknown to the adversary. Multiplication communi- 
cated 0 (u 2 k) bits. 

Lemma 7. The protocol Computation Phase (eventually) terminates for every 
honest player. Given that the 1= (3t + 1)cm + cr sharings [r^], . . . , [r^] are 
correct t-sharings of random values, unknown to the adversary, it computes the 
outputs of the circuit correctly and privately, while communicating 0 (u 2 cm + 
neon) bits (where cm, cr, and co denote the number of multiplication, random, 
and output gates in the circuit, respectively). 
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8 The Asynchronous MPC Protocol 

The following protocol allows the players to evaluate an agreed arithmetic circuit 
C of a finite field !F\ Denote the number of input, multiplication, random and 
output gates as ci,cm,cr,co, respectively. 

Protocol AsyncM PC (C, ci , cm , cr , co ) 

1. Invoke Preparation Phase to generate £ = cm{ 3t + 1) + cr random sharings. 

2. Invoke InputPhase to let the players share their inputs. 

3. Invoke ComputationPhase to evaluate the circuit (consisting of linear, multi- 
plication, random, and output gates). 

Theorem 1. For every coalition of up to t < n/A bad players and for every 
scheduler, the protocol AsyncM PC securely computes the circuit C. AsyncM PC 
communicates ©((cm 2 + cmti 3 + cru 2 + hco)k + n 3 BC(n )) bits and requires 2 
invocations to AC SO (which requires 0(n 2 BC{n))). 

9 The Hybrid Model 

9.1 Motivation 

A big disadvantage of asynchronous networks is the fact that the inputs of up to t 
honest players cannot be considered in the computation. This restriction disqual- 
ifies fully asynchronous models for many real-world applications. Unfortunately, 
this drawback is intrinsic to the asynchronous model, no (what so ever clever) 
protocol can circumvent it. The only escape is to move to less general commu- 
nication models, where at least some restriction on the scheduling of messages 
is given. 

In |HJNP()5| . an asynchronous (cryptographically secure) MPC protocol was 
presented in which all players can provide their inputs, given that one single 
round of communication is synchronous. However, this protocol has two serious 
drawbacks: First, the communication round which is required to be synchronous 
is round number 7 (we say that a message belongs to round k if it depends 
on a message received in round k — 1). This essentially means that the first 7 
rounds must be synchronous, because if not, then the synchronous round can 
never be started (the players would have to wait until all messages of round 6 
are delivered — an endless wait in an asynchronous network). 

The second drawback of this protocol is that one must decide a priori the 
mode in which the protocol is to be executed, namely either in the hybrid mode 
(with the risk that the protocol fails when some message in the first 7 rounds is 
not delivered synchronously), or in the fully asynchronous mode (with the risk 
that up to t honest players cannot provide their input, even when the network 
is synchronous). 

8 The protocol can easily be modified to use only a single invocation to ACS, by 
invoking Preparation Phase and InputPhase in parallel, and invoking ACS to find those 
dealers who have both correctly shared their input (s) as well as correctly shared 
enough random values. 
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9.2 Our Hybrid Model 

We follow the approach of [HNP05| . but strengthen it in both mentioned direc- 
tions: First, we require only the very first round to be synchronous, and second, 
we guarantee that even if some messages in the first round are not delivered 
synchronously, still at least n — t inputs are provided — so to speak the best of 
both worlds. A bit more precisely, we provide a fully asynchronous input protocol 
with the following properties: 

• For every scheduler, the inputs of at least n — t players are taken. 

• If all messages sent by Pi in the very first round of communication are deliv- 
ered synchronously, then Pfs inputs are taken. 

This means in particular that if the first round is fully synchronous, then the 
inputs of all honest players are taken, and if the network is fully asynchronous, 
then at least n — t inputs are taken. 

9.3 Preparelnputs and Restorelnput 

We briefly describe the idea of the new input protocol (assuming, for the sake 
of simple notation, that every player gives exactly one input): In the first (sup- 
posedly synchronous) round, every player computes a degree-t Shamir-sharing 
of his input and sends one share to each player. Then, the players invoke the 
fully asynchronous input protocol, where the input of each player is a vector 
consisting of his real input, and his shares of the inputs of the other players. As 
result of the asynchronous input protocol, a core set C of at least n — t players 
is found, whose input vectors are (eventually) t-shared among the players. For 
every player Pj G (7, the input is directly taken from his input vector. For every 
player Pj £ C, the input is computed as follows: There are n — t shares of his 
input, each t-shared as a component of the input vector of some player Pi G C. 
Up to t of these players might be corrupted and have input a wrong share. 
Therefore, these t-shared shares are error-corrected and used as Pj’s input. For 
error correction, t + 1 random t-sharings are used. These will be generated (ad- 
ditionally) in the preparation phase. Then, right before the computation phase, 
sharings of the missing inputs are computed. 

In the following, we present a (trivial) sub-protocol Preparelnputs, which pre- 
pares the inputs of all players (to be invoked in the first, supposedly synchronous 
round), and a protocol Restorelnput, which restores the sharing of an input s ^ 
of a player not in the core set, if possible (to be invoked right before the compu- 
tation phase). The protocol Restorelnput needs t+ 1 t-sharings of random values, 
which must be generated in the preparation phase. 

Protocol Preparelnputs (every Pi holding input tfW) 

Code for player P, : 

1. Choose random degree-t polynomial p(-) with p(0) = s W and send to every 
Pj his share sj^ = p(j). 
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2. Collect shares (from Pj ) till the first round is over. Then compose your 
new input s$ = (sW, . . . , where =J_ if no share df* was 
received from Pj within the first round. 

Protocol Restorelnput (Core Set C, Input Sharings [/(*)] of P, fi C, 

[r<°>],... J [r< t+1 >], k) 

Code for player P t : 

1 . Define the blinding polynomial b(x) = /° + r^x + . . . + r^x*, and for every 
Pj, define [bj] = [6(j)] = [r^] + [r^]j -j- ... — [r^]/. Invoke Recons to 
reconstruct bj towards Pj, for every Pj. 

2. For every Pj G C, denote by [s^j the sharing of P/s share of P/s input 
Note that [s^] is a part of the input vector [s^]. If [s^] /_L, then compute 
[dj\ = [sf } ] + [bj], and invoke Recons to reconstruct dj towards every player. 

3. If there exists a degree-t polynomial p(-) such that at least 2t + 1 of the 
reconstructed values dj lie on it, define d! i = p(i), and compute your share 
*<*> of P/s input as d[ — bi. The sharing of input [Z^] was successfully 
restored. If no such polynomial p(-) exists, then [s^] cannot be restored. 

Lemma 8. The protocol Preparelnputs and Restorelnput terminate for all play- 
ers. When all messages of a player Pk in Step 1 of Preparelnputs are syn- 
chronously delivered, then a sharing of his input s ^ can be successfully restored 
in Restorelnput, by any core set C with C >n — t (with up to t cheaters. When 
an input sharing of an honest player Pfc is restored in Restorelnput, then 
the shared value is the correct input of P/ c . Furthermore, both Preparelnputs and 
Restorelnput preserve the privacy of inputs of honest players. 

Proof (sketch). Termination and privacy are easy to verify. We focus on cor- 
rectness. First assume that Pk is honest, and all his messages in Round 1 of 
Preparelnputs were synchronously delivered. Then every honest player Pj em- 
beds the share s ^ in his input vector. There will be at least n — t players in 
the core set, so at least n — 2t honest players Pj. This means that there are 
at least n — 2t f-consistent shares Sj k \ and hence, at least n — 2t consistent 
shares dj. For t < n/ 4, we have n — 2t > 2t + 1, and the result is a sharing of 
d — b = ( s W + b) — b = s^'k Then assume that Pk is honest, but not all his 
messages in Round 1 have been delivered synchronously. However, if there are 
2t+ 1 points on the polynomial p(-), at least t + 1 of these points are from honest 
players, and hence the right input is restored. 

9.4 The Hybrid MPC Protocol 

The new main protocol for the hybrid model is as follows: 

Protocol HybridMPC ( C,ci,cm,cr,co ) 

1. Invoke Preparelnputs to let every Pi with input Shamir share aW among 
all players. 
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2. Invoke PreparationPhase to generate l = cm( 3i + 1) + cr + cj(t + 1) random 
sharings. 

3. Invoke InputPhase (with Pfs input being the vector ?W) to let the players 
share their input vectors. 

4. Invoke Restorelnput to restore the inputs of every Pk not in the core set. 

5. Invoke ComputationPhase to evaluate the circuit (consisting of linear, multi- 
plication, random, and output gates). 

Theorem 2. For every coalition of up to t < n/ 4 bad players and for every 
scheduler, the protocol Hybrid MPC securely computes the circuit C, taking the 
inputs of all players (when the first round is synchronous), or taking the inputs of 
at least n — t players (independently of any scheduling assumptions). AsyncMPC 
communicates d((cjn 3 + cwn 3 + cru 2 + nco)n + » 3 BC(k)) bits and requires 2 
invocations to ACS (can be reduced to 1). 

10 Conclusions 

We have presented an MPC protocol for the fully asynchronous model, which is 
perfectly secure against an active, adaptive adversary, corrupting up to t < n/4 
players, what is optimal. The protocol communicates only 0{n 3 ) field elements 
per multiplication. Even in the synchronous model, no perfectly secure MPC pro- 
tocol with better communication complexity is known. Furthermore, the protocol 
is as efficient as the most efficient protocol for the asynchronous model, which 
provides only cryptographic security. 

Furthermore, we have enhanced the protocol for a hybrid communication 
mode, where the inputs of all players can be taken under the only assump- 
tion that the very first communication round is synchronous. This assumption is 
very realistic, as anyway the players have to agree on set of involved players, on 
the circuit to be evaluated, etc. The proposed protocol combines best of both the 
hybrid model and the fully asynchronous model; it allows at least n — t players 
provide their input (even when the communication is fully asynchronous), and 
additionally guarantees that the input of every player is taken, as long as his 
first-round messages are delivered synchronously. 

Lastly, the proposed protocol is conceptually very simple. It uses neither player 
elimination nor repetition. 
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Abstract. Byzantine Agreement (BA) among n players allows the play- 
ers to agree on a value, even when up to t of the players are faulty. 

In the broadcast variant of BA, one dedicated player holds a message, 
and all players shall learn this message. In the consensus variant of BA, 
every player holds (presumably the same) message, and the players shall 
agree on this message. 

BA is the probably most important primitive in distributed protocols, 
hence its efficiency is of particular importance. 

BA from scratch, i.e., without a trusted setup, is possible only for t < 
n/3. In this setting, the known BA protocols are highly efficient ( (D(n 2 ) 
bits of communication) and provide information-theoretic security. 

When a trusted setup is available, then BA is possible for t < n/2 
(consensus) , respectively for t < n (broadcast) . In this setting, only com- 
putationally secure BA protocols are reasonably efficient ( 0(n 3 K ) bits). 
When information-theoretic security is required, the most efficient known 
BA protocols require 0(ti 17 k) bits of communication per BA, where k 
denotes a security parameter. The main reason for this huge communi- 
cation is that in the information-theoretic world, parts of the setup are 
consumed with every invocation to BA, and hence the setup must be 
refreshed. This refresh operation is highly complex and communication- 
intensive. 

In this paper we present BA protocols (both broadcast and consensus) 
with information-theoretic security for t < n/2 , communicating 0(n 6 k) 
bits per BA. 

Keywords: Byzantine agreement, broadcast, consensus, information- 
theoretic security, multi-party computation, efficiency. 


1 Introduction 

1.1 Byzantine Agreement, Consensus, and Broadcast 

The problem of Byzantine agreement (BA), as originally proposed by Pease, 
Shostak, and Lamport fPSLSOj . is the following: n players P[ .... . P n want to 

* This work was partially supported by the Zurich Information Security Center. It 
represents the views of the authors. 
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reach agreement on some message m, but up to t of them are faulty and try 
to prevent the others from reaching agreement. There are two flavors of the 
BA problem: In the broadcast problem, a designated player (the sender) holds 
an input message m, and all players should learn m and agree on it. In the 
consensus problem, every player Pi holds (supposedly the same) message rrii, 
and the players want to agree on this message. 

More formally, a protocol with P$ giving input m is a broadcast protocol, when 
every honest Pi outputs the same message m' = m! for some m! ( consistency ), 
and when m' = m, given that Ps is honest (validity). Analogously, a protocol 
with every player Pi giving input rn, is a consensus protocol, when every honest 
Pi outputs ml = m! for some m! ( consistency ), and when rn' = m, given that 
every honest P» inputs the same message rrii = rn for some m (validity). 

1.2 Models and Bounds 

We assume that the players are connected with a complete synchronous network 
of secure channels. Complete means that each pair of players shares a channel. 
Synchronous means that all players share a common clock and that the message 
delay in the network is bounded by a constant. 

The feasibility of broadcast and consensus depends on whether or not a trusted 
setup (e.g. a PKI setup) is available. When no trusted setup is available (“from 
scratch”), then consensus and broadcast are achievable if and only if at most 
t <n/ 3 players are corrupted. When a trusted setup is available, then consensus 
is achievable if and only if at most t < n/2 players are corrupted, and broadcast 
is achievable if and only if at most t < n players are corrupted. All bounds can 
be achieved with information-theoretical security, and the bounds are tight even 
with respect to cryptographic security. We stress in particular that no broadcast 
protocol (even with cryptographic intractability assumptions) can exceed the 
t < n/2> bound unless it can rely on a trusted setup |PLM8til lh'it,()3| . The main 
difference between protocols with information-theoretic security and those with 
cryptographic security is their efficiency. 

1.3 Efficiency of Byzantine Agreement 

We are interested in the communication complexity of BA protocols. The bit 
complexity of a protocol is defined as the number of bits transmitted by all 
honest players during the whole protocol, overall. 

In the model without trusted setup, Byzantine agreement among n players is 
achievable for t < n/2> communicating 0(n 2 ) bits |B(tP92l lT ;w92j . In the model 
with a trusted setup, the communication complexity of BA heavily depends 
on whether information-theoretic security is required or cryptographic security 
is sufficient. When cryptographic security is sufficient, then 0(u 3 k) bits are 
sufficient for reaching agreement, where k denotes the security parameter |l)SH3| . 
When information-theoretic security is desired, then reaching agreement requires 
at least 0(n 6 n) bits of communication (BPW91I lPW9fil . 
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However, the latter result consumes the setup, i.e., a given setup can be used 
only for one single BA operation. Of course, one can start with a m times larger 
setup which supports m BA operations, but the number of BA operations is a 
priori fixed, and the size of the setup grows linearly with the number of intended 
BA operations. This diametrically contrasts the cryptographic scenario, where a 
fixed-size setup is sufficient for polynomially many BA operations. In |PW9(i| . a 
method for refreshing the setup is shown: They start with a compact setup, use 
some part of the setup to perform the effective BA operation, and the remaining 
setup to generate a new, full-fledged setup. With this approach, a constant-size 
setup is sufficient for polynomially many BA invocations. However, with every 
BA invocation, the setup must be refreshed, which requires a communication of 
0(n 17 k ) bits |PW9fil f Pit()3| . Hence, when the initial setup should be compact, 
then the costs for a BA operation of |PW9(lj is as high as 0(n 17 i t) bits. 

1.4 Contributions 

We present a protocol for information-theoretically secure Byzantine agreement 
(both consensus and broadcast) which communicates C>(n 4 /-c) bits when the setup 
may be consumed (i.e., the number of BA operations per setup is a priori fixed). 
This contrasts to the communication complexity of 0(n 6 n) bits of previous 
information-theoretically secure BA protocols |BPW9ll lPW9ti| . 

More importantly, we present a refresh operation for our BA protocol, com- 
municating only 0(n 5 n) bits, contrasting the complexity of 0{n 17 k) bits of pre- 
vious refresh protocols jPWDfil . This new results allows for polynomially many 
information-theoretically secure BA operations from a fixed-size setup, where 
each BA operations costs 0(n 5 n) bits. 

This substantial speed-up is primarily due to a new concept, namely that the 
refresh operation does not need to succeed all the time. Whenever the setup is 
to be refreshed, the players try to do so, but if they fail, they pick a fresh setup 
from an a priori prepared stock. Furthermore, using techniques from the player- 
elimination framework |H M P()()| . the number of failed refresh operations can be 
limited to t. Using algebraic information-theoretic pseudo-signatures |SH/l()2| 
for appropriate parameters, the function to be computed in the refresh protocol 
becomes algebraic, more precisely a circuit over a finite field with multiplicative 
depth 1. Such a function is very well suited for efficient non-robust computation; 
in fact, it can be computed based on a simple one-dimensional Shamir-sharing, 
although t < n / 20 This allows a very simple refresh protocol with low commu- 
nication overhead. 

Compared to the refresh protocol of |PW9tij . our refresh protocol has the 
disadvantage that it requires t < n/2, whereas the protocol of |PW96j can cope 
with t < n. However, almost all applications using BA as sub-protocol (like 
voting, biding, multi-party computation, etc.) inherently require t < n/2, hence 
the limitation on our BA protocol is usually of theoretical relevance only. 

1 Note that general MPC protocols for this model need a three-level sharing, namely a 

two-dimensional Shamir sharing ameliorated with authentication tags IBB89I IBeahll 
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2 Preliminaries 

2.1 Formal Model 

We consider a set of n players V = {Pi ..... P n }, communicating over pairwise 
secure synchronous channels. Many constructions require a finite field P: we set 
this field to P = GF{ 2 K ) where k is a security parameter (we allow a negligible 
error probability of 0( 2~ K )). To every player Pi £ V, a unique non-zero element 
oti £ P \ {0} is assigned. The faultiness of players is modeled by a central 
computationally unlimited adversary adaptively corrupting up to t < n/2 players 
and taking full control over them. 

We assume that there is a trusted setup, i.e., before the protocol starts, a 
fixed probabilistic function Init : 1 K — > (statei, . . . , state,*) is run by a trusted 
party, and every player Pi £ P secretly receives state* as his initial state. 

2.2 Information-Theoretically Secure Signatures 

A classical (cryptographic) signature scheme consists of three algorithms: 
KeyGen, Sign, and Verify. KeyGen generates two keys, a signing key for the signer 
and a public verification key, Sign computes a signature for a given message and 
a given signing key; and Verify checks whether a signature matches a message 
for a given verification key. A secure signature scheme must satisfy that every 
signature created by Sign is accepted by Verify (with the corresponding sign- 
ing/verification keys, completeness), and without the signing key it is infeasible 
to compute a signature which is accepted by Verify (unforgeability). Classical 
signature schemes provide cryptographic security only, i.e., an unbounded forger 
can always find an accepting signature for any given message, with exhaustive 
search, using Verify as test predicate. 

As an information-theoretically secure signature scheme must be secure even 
with respect to a computationally unbounded adversary, every verifier must have 
a different verification key, and these verification keys must be kept private. Thus 
it cannot be automatically guaranteed that a signature is either valid for all ver- 
ifiers or for no verifier (it might be valid for one verifier, but invalid for another 
one). Therefore, an additional property called transferability is required: It is 
impossible for a faulty signer to produce a signature which, with non-negligible 
probability, is valid for some honest verifier without being valid for some other 
honest verifier. We say that a signature scheme is information-theoretically se- 
cure if it is complete, unforgeable and transferable. 

In EHZII!, a so called (ip, ^'{-secure signature scheme is presented, which 
allows the signer to sign a message m £ P such that any of the players in V 
can verify the validity of the signature. As long as the signer signs at most ip 
messages and each verifier verifies at most ip' signatures the success probability 
of attacks is less then 1/\P\ = 2~ K . 

Here, we use a one-time signature scheme (i.e., one setup allows only for one 
single signature), where every verifier may verify up to t + 2 signatures (of the 
same signer). In context of |SHZ1()2I . this means that we set ip = 1 and ip' = t+2. 
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By simplifying the notation (and by assuming that 2t + 1 < n), we receive the 
following scheme: 

KeyGen: Key generation takes as input the string l re , and outputs the sign- 
ing key sk to the signer P$ and the n verification keys vkx,...,vk„ to 
the respective verifiers Pi .... . P n . The signing key is a random vector 
sk = (p 0 , ■ • • ■Vn+i- 3o, ■ ■ • , Qn+ 1 ) € P 2 ( n+2 ), defining the polynomial 


FskiYt, -..,V n+1 ,M)= + YfMj + M + E <H V i 

= Po + Mqo + Y (Pi + M( P) V i- 


The verification key vk, ; of each player Pi £ V is the vector vk, ; = 
. . . , Vi tn+ i. Xi. yi), where the values 1 , . . . , 1 are chosen uniformly 

at random from P, and the Xi~ and j/j-values characterize the polyno- 
mial F s k, when apphed to Vi t x , . . . ,«*,„+ 1 , i.e., = po + Y%=i Pj v i,j an( l 

Vi = qo + E"=i 

Sign: The signature a of a message m £ P is a vector a = (<jo, . . . ,a n +i), 
characterizing the polynomial F s k when applied to m, i.e., <Jj = pj +mqj for 
j = 0, . . . , n + 1. 

Verify: Given a message m, a signature a = (ctq- ■ ■ ■ ,<r n +i), and the verifica- 
tion key vkj = (u^i, . . . , Vi. n+ i, Xi, yi) of player Pi, the verification algorithm 
checks whether 

( = F sk (vi 7 u...,v itn+1 ,m)') . 


f myi = o- 0 -t-^ (TjVij 


The protocol has the following sizes: Signing key: (2n + 4 )« bits; verification 
key: (n + 3)« bits; signature: (n + 2 )k bits. The total information distributed for 
one signature scheme (called sig-setup ) consists of (n 2 + 5n + 8)« bits. 

Note that a sig-setup for the player set V is trivially also a valid sig-setup for 
every player subset V C P. We will need this observation later. 


3 Protocol Overview 

Basically, the new broadcast protocol is the protocol of |l)SK3| . ameliorated 
with information-theoretically secure signatures |SHZI02| . Similarly to |PW9ti| . 
we start with a compact (constant-size) setup, which allows only for few broad- 
casts, and use some of these broadcasts for broadcasting the payload, and some 
of them to refresh the remaining setup, resulting in a fresh, full-fledged setup. 

We borrow ideas from the player-elimination framework IHMP00I to substan- 
tially speed-up the refresh protocol: The generation of the new setup is performed 
non-robustly, i.e., it may fail when an adversary is present, but then the failure 


398 


Z. Beerliova-Trubiniova, M. Hirt, and M. Riser 


is detected by (at least) one honest player. At the end of the refresh protocol, 
the players jointly decide (using one BA-Operation) whether the refresh has suc- 
ceeded or not; if yes, they are happy to have generated a new setup. If it failed, 
they run a fault-handling procedure, which yields a set E of two players, (at 
least) one of them faulty. As originally the set V contains an honest majority, 
also the set V \ E contains an honest majority. So the player set is reduced to 
V *— V \ E (with at most t' «— t — 1 faulty players). 

We are still missing the fresh setup; however, as with each fault-handling, one 
faulty player is eliminated from the actual player set, faults can occur only t 
times. For these t cases, we have a stock of t prepared setups, and with each 
fault, we take one out of this stock. This way it is ensured that at any point 
in the protocol, we have t' prepared setups on stock, where t! is the maximum 
number of faulty players in V . More precisely, the protocol runs as follows: 

Initial Setup: The procedure Init generates 2 + 5 1 BA-setup^l; one for the first 
BA operation, one for the first invocation of the refresh protocol, and t extra 
setups for the stock, each consisting of 2 BA-setups for replacing the failed 
refresh and 3 BA-setups for localizing the set E C V in the fault-handling 
procedure. The actual player set is set to V = V and the maximum number 
of faulty players in V to t' = t. 

Broadcast/Consensus: To perform a BA operation, the protocol Broadcast, 
resp. Consensus is invoked with the payload. In parallel, Refresh is invoked 
to refresh the reduced setup. If successful, Refresh produces two BA-setups 
using only one single BA operation. If Refresh fails, 5 BA-setups are taken 
from the stock, an elimination set E C V' is localized (using 3 BA’s) and 
eliminated (V' <— V'\E, t' «— 1/ — 1), and the two remaining BA-setups are 
kept as new state - for the next Broadcast/Consensus operation. 

In our presentation, we ignore the fact that faulty players can sent no message 
(or a message in a wrong format) when they are expected to send a message to an 
honest player. As general rule, we assume that when an honest player does not 
receive an expected message, he behaves as if he had received the zero-message. 

4 Broadcast and Consensus 

We present the protocols for the actual broadcast and consensus operation. 

Note that the Refresh protocol outputs correct BA setup for V' only (rather 
than V). However, as V \ V might contain honest players we need to achieve 
BA in V. We first present the BA protocols for V', then show how to realize BA 
in V using these protocols. 

As ISHZ1()2| signatures can cope only with message in the field E, also our 
BA protocols are limited to messages m e E. An extension to longer messages 
is sketched in Appendix El 

2 Init invokes Key Gen 4 + lOt times in parallel for each signer Ps €V. As will become 

clear later, 2n sig-setups are equivalent to one BA-setup. 
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We first present a broadcast protocol that allows a sender Pg £ V to con- 
sistently distribute a message m £ P to the players in P'O The protocol is 
essentially the protocol of |BS83j . with a simplified description of |Kit()3j . In ad- 
dition, the protocol is modified such that in one protocol run every player verifies 
at most ij}' = t+ 2 signatures of each signer (as required by our signature scheme). 

Every player maintains a set A of accepted messages, a set Af of newly ac- 
cepted messages, and (one or several) sets S m of received signatures for a mes- 
sage to. 


Protocol Broadcast’ 

0. Sender Pg: Send m and the corresponding signature erg to all I\ £ V . 

1. VPj £ V\ If Pi received from the sender a message m together with a 
valid signature as set A = Af = {m} and S m = {<rg}. 

k. In each Step fc = 2,...,t' + 1, execute the following sub-steps for every 
player P,; £ P' \ {Pg}: 

k. 1 For every message to £ A/, compute the signature at on to, and send 
(to, E m U {er,;}) to all players in V . Set J\f = {}. 
k . 2 In turn, for every message (m,E m ) received in Sub-step k.l do: 

— If to £ A, or if | A | >2, ignore the message, 

— else if E m contains valid signatures from at least k different 
players in V , including Pg, include m in A and in Af, 

- else ignore the received message (to, E m ) and all further mes- 
sages from the player who has sent it. 

t'-|-2. VP*: if \A\ = 1, then accept to £ A as the broadcasted value. Otherwise, 
the sender is faulty, and accept to =X (or any fixed pre-agreed value from 
P) as the broadcasted value. 

One can easily verify that the protocol Broadcast’ is as secure as the used sig- 
nature scheme |l )S83llFTt().‘-!j and that every player verifies at most t + 2 signatures 
from the same signer. Furthermore, every signer Pj issues up to two signatures; 
however, the second one is for the sole goal of proving to other players that the 
sender Pg is faulty, and the secrecy of Pj’s signing key is not required anymore. 
Hence, it is sufficient to use a one-time signature scheme, whose unforgeability 
property is broken once the signer issues two signatures. 

To construct a consensus protocol in V , we use a trick of |Kit,04j : Every player 
needs two sig-setups, a primary scheme for the same purpose as in the above 
protocol, and an alternative scheme for identifying the message (if there is any) 
originally held by the majority of the players. During the protocol execution, 
every player Pj additionally maintains (one or several) sets E' rn , containing al- 
ternative signatures cr' (issued by Pj) for to, where E' m with \E' m \ > n’ — t' 
now “replaces” the sender’s signature in the above broadcast protocol. Now we 
present the consensus protocol for V , each Pj holding a message to* £ P: 

3 Note that Broadcast’ will not be used in the paper, it is presented only for the sake 
of clarity of the protocol Consensus’. 
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Protocol Consensus’ 

0. VPj G V: Send to* and the corresponding (alternative) signature u[ to 
all players in V . 

1. VPj G V: If there exists a message m received (together with a valid 
signature) from at least n' — if different players, let S' rn denote the set 
of all these signatures, and set A = Af = {m} and S m = {}. If no such 
message exists, set A = Af = {}. 

k. In each Step k = 2, . . . , if + 2, execute the following sub-steps for every 
player Pj eP': 

k.l For every message to G Af, compute the signature cr,; on to, and send 
(to, E' m , E m U {o-j}) to all players in V . Set AT = {}. 
k . 2 In turn, for every message (to, E' m , E m ) received in Sub-step k.l do: 
— If to G A, or if | A | >2, ignore the message, 

— else if E m contains valid signatures in the primary scheme from 
at least k - 1 different players in V , and E' m contains valid 
signatures in the alternative scheme from at least n ’ — t' different 
players in V', then include m in A and in Af, 

- else ignore the received message and all further 

messages from the player who has sent it. 

if +3. VP*: if .A = 1, accept to £ A as the agreed value, otherwise (there was 
no pre-agreement) accept to =_L. 

The security of the protocol Consensus’ follows immediately from the security 
of the protocol Broadcast’, and the fact that every player issues at most one 
signature in the alternative scheme, and each such signature is verified at most 
t + 1 times. The communication complexity of BA in V is at most 4n 3 |cr| + 
3n 2 K + n 2 |cr| = (8n 4 + 26n 3 + 9 u 2 )k. 

Broadcast and consensus in V can be constructed from consensus in V: 

Protocol Broadcast 

1. The sender Ps G V sends the message to to every player Pj G V . 

2. Invoke Consensus’ to reach agreement on to among V . 

3. Every player Pi G V sends the agreed message to to every player Pj G V. 

4. Every player Pj G V accepts the message to which was received most often. 

Protocol Consensus 

1. Invoke Consensus’ to reach agreement on m among V . 

2. Every player Pj G V sends the agreed message to to every player Pj GP. 

3. Every player Pj G V accepts the message to which was received most often. 

The security of these protocols follows from the security of Consensus’ and 
from t' < n ’ /2 and t < n/2. The communication complexity of BA in V is at 
most (8n 4 + 26n 3 + lln 2 )«. 
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5 Refreshing the Setup 

5.1 Overview 

To “refresh” the setup means to compute a new setup which allows for two BA 
operations, while this computation consumes only one BA-setup. The protocol 
Refresh generates the new setup with a special-purpose MPC among the players 
in V . This computation is performed non-robustly. Every sub-protocol either 
achieves its intended goal, or it fails. When it fails, then at least one honest 
player detects the failure. We do not require agreement on the fact whether 
or not a sub-protocol has failed. Only at the very end of Refresh, the players 
agree on whether or not a player has detected a failure during the computation 
(using consensus, thereby consuming one BA-setup). The computation takes 
only random values as input, so in case of failure, privacy is of no interest. 

The computation of the verification keys will not only be non-robust, but even 
non-detectable, i.e., it might output wrong values without any (honest) player 
detecting the failure. However, once the verification keys are generated, their 
correctness is verified, and honest players can detect whether or not there was a 
failure. 

We provide a fault-handling sub-protocol, to be invoked when Refresh fails, 
which localizes a set E C V' of two players, where (at least) one of them is 
faulty. This allows to reduce the actual player set, thereby reducing the maxi- 
mum number of faulty players, thereby limiting the number of times Refresh can 
fail. In this fault-handling sub-protocol, every players sends to some designated 
player all messages he has received during the course of the protocol, as well as 
all random elements he sampled (which define the sent messages). Given this 
information, the designated player can help to compute the set E to eliminate. 

In the sequel, we present the used sub-protocols (all of them non-robust), and 
finally the protocols Refresh and FaultHandling. The protocol Refresh invokes once 
the protocol Consensus’, hence it consumes one valid BA-setup. The protocol 
FaultHandling invokes 3 times the protocol Broadcast; it requires enough BA- 
setups for that. However, the protocol FaultHandling is invoked only t times in 
total, so the required BA-setups can be prepared at beforehand. 

For the sake of a simpler presentation, we give to every player Pi a flag fail,, 
which is initialized to false, and is set to true once Pi has detected a failure. We 
say that a protocol succeeds when no player has detected a failure; otherwise, 
the protocol fails. 

5.2 Secret Sharing 

We use standard Shamir sharing |Sha,7flj . We say that a value a is t'-shared 
among the players V if there exists a degree-t' polynomial /(■) with /( 0) = a, 
and every (honest) player e V holds a share (a)* = /(a*), where cq is 
the unique evaluation point assigned to P c . We denote the collection of shares 
as (a). Observe that we can easily add up shared values, namely (a + b) = 
((o)i + (6)i, . . . , (a) n > + (b) n >). We write (a) + ( b ) as a short hand. 
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In order to let a dealer Pd G V verifiably share a value a according to 
Shamir sharing, we employ the following (non-robust) protocol (based on the 
VSS protocol of |B(;W88j ). 

Protocol Share 

1. (Distribution.) Pd selects the coefficients at random, and 

sets f(x, y) = a + ci^x + copy + c\^xy + . . . + ct'j'X* V * • Then, to every 
Pi G V , Pd computes and sends the polynomials fi,*(y) = f(oii,y ) and 

f*,i( x ) = 

2. ( Checking.) For every pair Pj, Pj G V , Pi sends fi,*(oij) to Pj, who compares 
the received value with f*,j(ai). Pj sets failj = true if some difference is 
non-zero. 

3. (Output) Every Pj outputs (a), = /i,*(0). 

Lemma 1. The protocol Share has the following properties: (Completeness) If 
all players in V correctly follow the protocol, then the protocol succeeds. ( Correct- 
ness) If the protocol succeeds, then the outputs ((a)i, . . . , (a)„/) define a degree-t' 
polynomial /(•). (Validity & Privacy) If the protocol succeeds and the dealer is 
honest with input a, then /( 0) = a and no subset of t' players obtains any in- 
formation on a. (Complexity) The protocol communicates at most (2 n 2 — 2n)/t 
bits and requires at most {f/±n 2 + x l^n — %)k random bits. 

The following protocol lets the players in V reconstruct a correctly Shamir 
shared value a towards a designated player P R £V': 

Protocol Recons 

1. Every player Pj G V sends his share (a) j to the recipient Pr. 

2. P R verifies whether (a)i, . . . , (a}„/ lie on a degree-t' polynomial /(•) and out- 
puts a = /( 0) if yes. Otherwise, P R sets fail# = true and outputs a = 0. 

Lemma 2. The protocol Recons has the following properties: (Completeness) If 
all players in V correctly follow the protocol, then the protocol succeeds. ( Correct- 
ness) If the protocol succeeds, then P R outputs the correct secret a. (Complexity) 
The protocol communicates at most ( n — 1)k bits and requires no randomness. 

5.3 Generating Random Values 

We present a (trivial) protocol that allows the players to generate a random 
value c£ R T, known to all players in V . 

Protocol GenerateRandom 

1. VPj G {Pi, . . . ,Pj/+i}: select a random value c* Gr T and invoke Share to 
share c* among V . 

2. The players compute (c) = 

3. VPfc G V: invoke Recons to reconstruct (c) towards player I\- 
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Lemma 3. The protocol GenerateRandom has the following properties: (Com- 
pleteness) If all players in V correctly follow the protocol, then the proto- 
col succeeds. (Correctness) If the protocol succeeds, then it generates a uni- 
formly random value c £# T , known to all players Pj £ V . (Complexity) 
The protocol communicates at most (n 3 + n 2 — 2 n)n bits and requires at most 
(%n 3 + %n 2 + %n - %)k random bits. 

Proof (sketch). Completeness and complexity follow from inspecting the proto- 
col. We now focus on the case when the protocol succeeds. There is at least 
one honest player I\ in {Pi, . . . , Pt'+i }, who chooses his value Cf t uniformly at 
random. As in Step 1, the adversary does not obtain any information about Ch 
(privacy of Share), and as the values c* of every player Pi £ V are fixed after 
Step 1 (Correctness of Share), Ch is statistically independent of all other values 
Cj (j 7 ^ i). Hence, the sum c% + . . . 4* cp+i is uniformly distributed. □ 


5.4 Generating One Sig-Setup 

Recall that a sig-setup for a designated signer P§ consists of the signing key 
(poi • • • , Pn'+i ■ Qo, • • • , q n '+ l), which should be random and known only to the 
signer Pj, and one verification key (i>i,i, . . . , Wj, n '+i, Xi, yf) for each player Pj £ 
V , where the values Ujp, . . . , Uj,„'+i should be random and known only to P,Q 
and the values x, and iji are computed as Xi = po + an d Vi = 

qo + Y^j=i respectively. Tabled summarizes the steps needed to compute 

these values. 


Table 1. Preparing one sig-setup 


Player 

Inputs (rand.) 

Intermediate (shared) 

Outputs 

Ps 

Po 


Pn'+l 





Qo 


q n '+i 





Pi 




PlVl, 1 


Pn'+lVl,„’+l 

Xi =po + 

qiv 1,1 


qn'+lVl,n'+l 

yi = qo + 









Pn' 




PlVn ',1 


Pn'+lV n ', n '+l 

x n > =P0 

qiVn',1 


q n '+lVn',n'+l 

Vn ' = qo + Efc qkVn',k 


In our protocol, first every player Pj chooses and secret-shares his verification 
key . . . , Vi. n r + \). Then, the players jointly generate three random vectors 
{jpa, . . . ,p„/+i), (qo, . . . , q n '+i), and (ro, . . . , r n > + 1 ). The first two of these vectors 

4 The randomness of . . . , is needed for the sole reason of protecting the 

verifier Pj, hence it must be guaranteed for honest verifiers only. 
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will serve as signing key, and the third will serve as blinding in the verification 
of the computation. Then, for each of these three vectors, the values * 1 , . . . , x n >, 
respectively y\, . . . , y n ' or zi,...,z n >, are computed. This computation is not 
detectable: It might be that one of the Xi, yi or Zi values is wrong, and still 
no honest player has detected a failure (however, when all players correctly 
follow the protocol, then all values will be correct). The correctness of these 
values is verified in an additional verification step: Two random challenges p 
and ip are generated, and the linearly combined (and blinded) signing vector 
( ppo + <pqo + r*o, . . . , pPn'+i + <pq n '+i + r n '+ 1 ) is computed, and (distributively) 
compared with the linearly combined verification keys. If all checks are successful, 
then (with overwhelming probability) all keys are correctly computed. 

Protocol GenerateSignatureSetup 

1. (Generate v^k-values.) Every P,; £ V selects random «i,i, . . . ,Wj, n '+i and 
invokes Share to share them. 

2. (Generate pk-values.) Invoke GenerateRandom nl + 1 times to obtain shared 
Po,...,p n '+i. 

3. (Compute Xi-values.) For every x^, execute the following steps: 

3.1 Every Pj £ V (locally) computes aj = JZk=i{pk}j(Wi,k)j and invokes 
Share to share it. 

3.2 The players compute (xi) = (po) + Y^j = l % ( c ?:,j ) , where A j denotes the 
j-tli Lagrange coefficient^. 

4. ( Generate qk/yi-values.) Generate (go, ■ • ■ , Qn'+ 1 ) and (j/i, . . . , y„/) along the 
lines of Steps 2-3. 

5. ( Generate rk/zi-values.) Generate (ro, . . . , rv+i) and (zi , . . . , z n >) along the 
fines of Steps 2-3. 

6. (Check correctness of the computed Xi/yi-values) 

6.1 Invoke GenerateRandom twice to generate random challenges p and <p. 

6.2 For k = 1 , . . . , n' + 1 , compute and reconstruct towards every player 

(sk) = p(pk) + p(Qk) + (rk)- 

6.3 For i = 1, . . . , n', compute (wi) = so + SfcJi 1 s k{vi,k)- 

6.4 For i = 1, . . . , n f , compute (wi) = p(xi) + <p(yi) + (zi)- 

6.5 For i = 1, . . . , n' , reconstruct to every player {df) = (wf) — ( Wi ). 

6.6 Every P 3 checks whether di = 0 for i = 1, . . . , n' , and sets fail, = true in 
case of any non-zero value. 

7. (Announce Xi/yi-values.) For every Pi £ V, invoke Recons to reconstruct 
( Xi ) and (yi) towards Pj. 

Lemma 4. The protocol GenerateSignatureSetup has the following properties: 
(Completeness) If all players in V' correctly follow the protocol, then the pro- 
tocol succeeds. (Correctness) If the protocol succeeds, then (with overwhelming 

6 The j-th Lagrange coefficient can be computed as \j = n”=i i^j a ~-a ■ 
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probability) it generates a correct signature setup. (Privacy) If the protocol suc- 
ceeds, then no subset of t! players obtains any information they are not allowed 
to obtain. ( Complexity) The protocol communicates at most (lln 4 + 4 n 3 — 3 n 2 — 
13n)fc bits and requires at most (2 n 4 + 4 n 3 + 2 n 2 + 3 )ac random bits. 

Proof (sketch). (Completeness) We consider the case that all players follow 
the protocol, hence no sub-protocol fails. Observe that for every i = 1 . . . . , n' , 
the points (ccl, . . . , (a„/, Ci,n') he on a degree- 2 1' polynomial /j(-) with 
/,((]) = Y^k=i Pk v i,k- This polynomial is well defined because n! > 21/, hence 
we can interpolate /,;((]) with Lagrange’s formulall This interpolation is done 
distributively, i.e., every player Pj shares his dj, then these sharings are 
combined using Lagrange’s formula, and po is distributively added, resulting in 
a sharing of Xi = p 0 + Y^k=i Pk v i,k- Similarly, y* = q 0 + YJk=i QkVi,k and = 
r 0 + r k Vi,k. Clearly, for any p and <p, {pp 0 + (pq 0 + rq) 4- EfeJi 1 ( PPk + TQk + 

rk)vi t k = px i + (pyi + Zi, hence di = 0, and no player detects a failure in Step 6.6. 

(Correctness) We have to show that when the protocol succeeds, then for 
i = 1, . . . ,n' holds Xi = po + Y^k=\ Vk^i,k and y, = po + SfcJi 1 QkVi,k- Observe 
that after Step 5, the values Vi t k,Pk,Qk,i"k,Xi,yi,Zi are fixed (they all are 
f '-shared). When Xi and y t do no satisfy the required equation above, then 
only with negligible probability, for random p and ip they satisfy the equation 
(pp 0 + <pq 0 + r 0 ) + J2k=i(PPk + m + r k )vi,k = pxi + (pyt + z { . 

(Privacy) We have to show that when the protocol succeeds, every player 
learns only his respective key (plus some random data he could have generated 
himself with the same probability). First observe that in Steps 1-5, the only 
communication which takes place is by invocation of Share, which leaks no 
information to the adversary. In Step 6, the values si, . . . , s n '+i and d-[, . . . . d n > 
are reconstructed. Every value Sk is blinded with a random rk (unknown to the 
adversary), so is uniformly random from the viewpoint of the adversary. The 
values di are either 0 (and hence the adversary can easily simulate them), or 
the protocol fails (and all computed values are discarded). 

(Complexity) The complexity can be verified by inspecting the protocol. □ 


5.5 The Refresh-Protocol 

In order to refresh a BA-setup, we need to generate two BA-setups, consuming 
only one BA-setup. Remember that one BA-setup consists of 2n! sig-setups (2 
for every potential signer); hence, Refresh needs to generate 4n' sig-setups. 

Protocol Refresh 

0. VR G V: set fail* = false. 

1. Invoke GenerateSignatureSetup 4n' times in parallel to generate 4 sig-setups 
for each signer I J s G V . 

6 Note that fy( 0) is arbitrary when a single player is incorrect — something we do not 
care for when arguing about completeness. 
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2. VP,; G P 7 : Send fail* to every P, G P 7 . 

3. Vij- G P 7 : Set fail, = true if any received bits fail* = true. 

4. Invoke Consensus’ with P,-’s input being fail,. Denote the output as fail. 

5. VPj G P 7 : send fail to every Pj G (P \ P 7 ). 

6. VP,- G (P \ P 7 ): Set fail as the majority of the received bits. 

It is easy to see that Refresh fails when any GenerateSignatureSetup failed for 
an honest player. On the other hand, when all players follow the protocol, then 
Refresh succeeds. Refresh communicates 0(ti 5 )k bits. 

5.6 Fault Handling 

The following fault-handling procedure is invoked only when Refresh has failed 
(i.e., the players agree on fail = true). The goal of FaultHandling is to localize a 
set E G P 7 of two players, such that (at least) one of them is faulty. 

FaultHandling exploits the fact that there is no need to maintain the secrecy 
of the failed Refresh protocol. Basically, in FaultHandling the whole transcript 
of Refresh is revealed and there will be a message from some player Pj to some 
player P,, where Pi claims to have sent some other message than Pj claims to 
have received — hence either Pj or Pj is lying, and we can set E = (P,, P, }. 
Unfortunately, it would be too expensive to publicly reveal the whole transcript; 
instead, the transcript is revealed towards a selected player (e.g. Pk G V with 
the smallest index k), who searches for the fault and announces it. 

We stress that the considered transcript not only contains the messages of all 
invocations of the protocol GenerateSignatureSetup, but also the messages of the 
protocol Refresh. This is important because it might be that no fault occurred 
in GenerateSignatureSetup, but still some (corrupted) player P* claimed to have 
fail* = true. 

Protocol FaultHandling 

1 . Every Pj G V sends to Pk all random values chosen during the course of the 
protocol Refresh (including all sub- protocols) , as well as all values received 
during the course of Refresh. 

2. Pfc computes for every Pj the messages P* should have sent (when being 
correct) during the course of Refresh; this can be done based on the random 
values and the received messages of Pj. 

3. Pt searches for a message from some player P* G V to some other player 
Pj G P 7 , where Pi should have sent a message x t (according to his claimed 
randomness), but Pj claims to have received Xj, where ^ x 3 . Denote the 
index of this message by t. 

4. Pk invokes Broadcast to announce {i,j,t,Xi,Xj). 

5. Pi invokes Broadcast to announce whether he indeed sent Xi in the l - th 
message. 

6. Pj invokes Broadcast to announce whether he indeed received Xj in the f-th 
message. 
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7. If Both Pi and Pj confirm to have sent Xi, respectively to have received Xj, 
then E = {Pi, Pj}. If Pj does not confirm to have sent Xi, then E = {P k , Pj}. 
If Pj does not confirm to have received Xj, then E = {P k ,Pj}. 

FaultHandling requires 3 BA invocations and communicates 0(n 5 n ) bits. 

6 Conclusions 

We have presented a BA protocol for n players that achieves information- 
theoretic security against t < n/2 faulty players, communicating 0(n 5 n) bits 
(for some security parameter k ) . The protocol requires a compact constant-size 
setup, as all BA protocols that tolerate t > n/ 3 do (also those with cryptographic 
security only), and allows for polynomially many BA operations. 

This result improves on the existential result of |PW96| . which communicates 
0{u 17 k) bits per BA. 
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A Long Messages 

The proposed BA protocols only capture messages m G T, i.e., K-bit messages. 
In order to reach BA on longer messages, one could invoke the according BA 
protocol several times (once for every k bit block). However, this would blow up 
the communication complexity unnecessarily high: BA of a in bit message would 
require a communication complexity of 0{ln 5 n) bits (as opposed to 0(Ikti 2 + 
n 17 k) in |PW96| h In this section, we sketch a construction that allows BA of a 
£k bit message at costs of 0(£kti 2 + n 5 n) bits. 

In order to achieve the stated complexity, we need to replace the protocol 
Consensus’ by Consensusi ong ’. The basic idea of Consensusi ong ’ is straight forward: 
Every player Pi G V sends his message m; to every other player. Then, the 
players use Consensus’ to reach agreement on a universal hash value. If agreement 
is achieved, all players output the message with the agreed hash value, otherwise 
they output _L. The key for the universal hash function is assumed to be pre- 
shared among the players as part of the BA-setup, and only reconstructed when 
needed. We also explain how this sharing is prepared in the Refresh protocol. 


A.l Protocol Consensusiong’ 

In the following, we present the protocol Consensusi ong among the players in V', 
reaching agreement on a in bit message m. The protocol makes use of universal 
hashing [( ]W79j . As universal hash with key k G P , we use the function Uk : 
T l — > P, (mW , . . . , m®) i-> rrS^ + m^k + . . . + The probability that 

two different messages map to the same hash value for a uniformly chosen key 
is at most l/\P\, which is negligible in our setting with P = GF(2 K ). 

Protocol Consensusiong’ 

1. Every Pi G V sends his message m, to every player Pj G V . 

2. The players reconstruct the random hash key k G P, which is part of the BA 
setup. 
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3. Every Pi £ V computes (for his original message mi) the universal hash 

U k (mi)E 

4. The players in V' invoke Consensus’ to reach agreement on the hash value h. 

5. If the above consensus fails (i.e., h =JL|$. then every e V outputs _L. If 
it succeeds, then every Pi e V outputs that nij received in Step 1 with 
Uk{rrij) = h. 

One can easily see that the above protocol reaches consensus on m, and that 
it communicates 0{tKti 2 ) plus one invocations of Consensus’, i.e., communicates 
0(£nn 2 + n 4 K) overall. 


A. 2 Generating the Hash Key 

The protocol Consensusi on g’ needs a random hash key to be known to all players 
in V . We cannot afford to generate this hash key on-line (this would require sev- 
eral invocations of broadcast). Instead, we assume a robust sharing of a random 
field element to be part of every BA-setup. This sharing is then reconstructed 
when needed. 

As robust sharing, we use the scheme of l(JDD+99l . Essentially, this is a two- 
dimensional Shamir sharing, ameliorated with so called authentication tags. The 
sharing is constructed non-robustly; in the Share protocol, the players pairwisely 
check the consistency of the received shares, and fail in presence of faults. The 
sharing of the hash key is generated as sum of a sharing of each player in V . 
Such a sharing can be computed with communicating G(n 4 «;) bits (and without 
involving broadcast). When the hash key is needed, then the sharing of the 
actual BA setup is reconstructed towards every player in V . This is achieved 
by having every player sending his shares (including the authentication tags) to 
every other player; this involves a communication of 0(n 3 i t) bits. 


7 In order to do 


mi is split into blocks 
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Abstract. We present six multiparty protocols with information- 
theoretic security that tolerate an arbitrary number of corrupt parti- 
cipants. All protocols assume pairwise authentic private channels and a 
broadcast channel (in a single case, we require a simultaneous broadcast 
channel). We give protocols for veto, vote, anonymous bit transmission, 
collision detection, notification and anonymous message transmission. 
Not assuming an honest majority, in most cases, a single corrupt par- 
ticipant can make the protocol abort. All protocols achieve functionality 
never obtained before without the use of either computational assump- 
tions or of an honest majority. 

Keywords: Multiparty computation, anonymous message trans- 
mission, election protocols, collision detection, dining cryptographers, 
information-theoretic security. 


1 Introduction 

In the most general case, multiparty secure computation enables n participants 
to collaborate to compute an n-input, n-output function (one per participant). 
Each participant only learns his private output which, depending on the function, 
can be the same for each participant. Assuming that private random keys are 
shared between each pair of participants, we known that every function can 
be securely computed in the presence of an active adversary if and only if less 
than n / 3 participants are corrupt; this fundamental result is due to Michael Ben- 
Or, Shah Goldwasser and Avi Wigderson |BGW88j and David Chaum, Claude 
Crepeau and Ivan Damgard j(X,'l)88| . When a broadcast channel is available, 
the results of Tal Rabin and Michael Ben-Or |bB8bj tell us that this proportion 
can be improved to n/2. 

Here, we present six specific multiparty computation protocols that achieve 
correctness and privacy without any assumption on the number of corrupt parti- 
cipants. Naturally, we cannot always achieve the ideal functionality, for example 
in some cases, a single participant can make the protocol abort. This is the price 
to pay to tolerate an arbitrary number of corrupt participants and still provide 
information-theoretic privacy of the inputs. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 410- EH?T1 2007. 
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All protocols we propose have polynomial complexity in the number of parti- 
cipants and the security parameter. We always assume pairwise shared private 
random keys between each pair of participants, which allows pairwise private 
authentic channels. We also assume a broadcast channel and, even though it 
is a strong assumption, in some cases we need the broadcast to be simultane- 
ous j( X1M ASItI IHMOhj . 

1.1 Summary of Results 

Our main contributions are in the areas of elections (vote) and anonymity 
(anonymous bit transmission and anonymous message transmission). Each pro- 
tocol is an astute combination of basic protocols, which are also of independent 
interest, and that implement parity, veto, collision detection and notification. 

The main ingredient for our information-theoretically secure protocols is the 
dining cryptographers protocol |Cha88| (see also Section 0. to which we add the 
following simple yet powerful observation: if n participants each hold a private 
bit of an n-bit string with Hamming weight of parity p, then any single partic- 
ipant can randomize p by locally flipping his bit with a certain probability. It 
is impossible, however, for any participant to locally derandomize p. In the case 
of the anonymous message transmission, we also build on the dining cryptog- 
raphers protocol by noting that a message that is sent can be ciphered with a 
one-time pad by having one participant (the receiver) broadcast a random bit. 
Any modification of the message can then be detected by the receiver with an 
algebraic manipulation detection code 

Vote. Our vote protocol (Section 0 allows n participants to conduct an m- 
candidate election. The privacy is perfect but the protocol has the drawback that 
if it aborts (any corrupt participant can cause an abort), the participants can still 
learn information that would have been available had the protocol succeeded. 
For this protocol, we require a simultaneous broadcast channel. It would be 
particularly well-suited for a small group of voters that are unwilling to trust 
any third party and who have no advantage in making the protocol abort. 

Previous work on information-theoretically secure voting protocols include 
idsm where a protocol is given in the context where many election au- 
thorities are present. To the best of our knowledge, our approach is fundamen- 
tally different from any other approaches for voting. It is the first to provide 
information-theoretic security without requiring or trusting any third party, 
while also providing ballot casting assurance (each participant is convinced that 
their input is correctly recorded [A NOfij ) and universal verifiability (each par- 
ticipant is conviced that only registered voters cast ballots and that the tally is 
correctly computed |SKH5j b 

Anonymity. Anonymity is the power to perform a task without identifying the 
participants that are involved. In the case of anonymous message transmission, 
it is simply the capacity of the sender to transmit a private message to a specific 
receiver of his choosing without revealing either his identity or the identity of the 
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receiver. A number of protocols have been suggested for anonymous transmission. 
Many of these rely on trusted or semi-trusted third parties as well as computa- 
tional assumptions (for instance, the MIX-net |Cha.81 1 ). Here, we do not make 
any such assumptions. The most notable protocol for anonymous transmission 
in our context is the dining cryptographers protocol |( )ha.88| , which allows a sin- 
gle sender to anonymously broadcast a bit, and provides information-theoretical 
security against a passive adversary. We present the protocol in a version that 
implements the multiparty computation of the parity function in Section El 

The case of multiple yet honest senders in the dining cryptographers pro- 
tocol can be solved by time slot reservation techniques, as originally noted by 
Chaum |Cha88| . But nevertheless, any corrupt participant can jam the chan- 
nel. Techniques offering computational security to this problem have been pro- 
posed |( lha.881 IWP89bj . Also, computational assumptions allow the removal of 
the reliance on a broadcast channel |WP89a| . 

In our implementation of anonymous bit transmission (Section 0, we ele- 
gantly deal with the case of multiple senders by allowing an unlimited amount 
of participants to act as anonymous senders. Each anonymous sender can target 
any number of participants and send them each a private bit of his choice. Thus, 
the outcome of the protocol is, for each participant, a private list indicating how 
many Os and how many Is were received. The anonymity of the sender and re- 
ceiver and the privacy of all transmitted bits is always perfectly achieved, but 
any participant can cause the protocol to abort, in which case the participants 
may still learn some information about their own private lists. 

We need a way for all participants to find out if the protocol has succeeded. 
This is done with the veto protocol (Section 0 , which takes as input a single bit 
from each participant; the output of the protocol is the logical OR of the inputs. 
Our implementation differs from the ideal functionality since a participant that 
inputs 1 will learn if some other participant also input 1. We make use of this 
deviation from the ideal functionality in further protocols. 

In our fixed role anonymous message transmission protocol (Section 0 , we 
present a method which allows a single sender to communicate a message of 
arbitrary length to a single receiver. To the best of our knowledge, this is the first 
protocol ever to provide perfect anonymity, message privacy and integrity. For a 
fixed security parameter, the anonymous message transmission is asymptotically 
optimal. 

Our final protocol for anonymous message transmission (Section 0 allows a 
sender to send a message of arbitrary length to a receiver of his choosing. While 
any participant can cause the protocol to abort, the anonymity of the sender 
and receiver is always perfectly achieved. The privacy of the message is pre- 
served except with exponentially small probability. As far as we are aware, all 
previous proposed protocols for this task require either computational assump- 
tions or a majority of honest participants. The protocol deals with the case of 
multiple senders by first executing the collision detection protocol (Section 0. 
in which each participant inputs a single bit. The outcome only indicates if the 
sum of the inputs is 0, 1 or more. Compared to similar protocols called time 
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slot reservation |( Tia.881 IWP89bj . our protocol does not leak any additional in- 
formation about the number of would-be senders. The final protocol also makes 
use of the notification protocol (Section Q) in which each participant chooses a 
fist of other participants that are to be notified. The output privately reveals to 
each participant the logical OR of his received notifications. A special case of 
this protocol is when a single participant notifies another single participant; this 
is the version used in our final protocol to enable the sender to anonymously tell 
to the receiver to act accordingly. 

1.2 Common Features to All Protocols 

All protocols presented in the following sections share some common features, 
which we now describe. Our protocols are given in terms of multiparty computa- 
tion with inputs and outputs and involve n participants, indexed by i = 1 , n. 

In the ideal functionality, the only information that the participants learn is their 
output (and what can be deduced from it). Correctness refers to the fact that 
the outputs are correctly computed, while privacy ensures that the inputs are 
never revealed. 

The protocols ensure correctness and privacy even in the presence of an un- 
limited number of misbehaving participants. Two types of such behaviour are 
relevant: participants who collude (they follow the protocol but pool their infor- 
mation in order to violate the protocol’s privacy), and participants who actively 
deviate from the protocol (in order to violate the protocol’s correctness or pri- 
vacy). Without loss of generality, these misbehaviours are modelled by assuming 
a central adversary that controls some participants, rendering them corrupt. The 
adversary is either passive (it learns all the information held by the corrupt par- 
ticipants), or active (it takes full control of the corrupt participants). We will 
deal only with the most general case of active adversaries, and require them to 
be static (the set of corrupt participants does not change). A participant that 
is not corrupt is called honest. Our protocols are such that if they do not abort, 
there exists inputs for the corrupt participants that would lead to the same out- 
put if they were to act honestly. If a protocol aborts, the participants do not 
learn any more information than they could have learned in an honest execu- 
tion of the protocol. The input and output description applies only to honest 
participants. 

We assume that each pair of participants shares a private, uniformly random 
string that can be used to implement an authentic private channel. The partici- 
pants have access to a broadcast channel and in some cases, it is simultaneous. 
A broadcast channel is an authentic broadcast channel for which the sender is 
confident that all participants receive the same value and the receivers know 
the identity of the sender. A simultaneous broadcast channel is a collection of 
broadcast channels where the input of one participant cannot depend on the 
input of any other participant. This could be achieved if all participants simul- 
taneously performed a broadcast. In order to distinguish between the two types 
of broadcast, we sometimes call the broadcast channel a regular broadcast. It 
is not uncommon in multiparty computation to allow additional resources, even 
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if these resources cannot be implemented with the threshold on the honest par- 
ticipants (the results of |K.B89j which combine a broadcast channel with n / 2 
honest participants being the most obvious example). Our work suggests that 
a simultaneous broadcast channel is an interesting primitive to study in this 
context. 

In all protocols, the security parameter is s. Unfortunately, in many of our pro- 
tocols, a single corrupt participant can cause the protocol to abort. All protocols 
run in polynomial time with respect to the number of participants, the security 
parameter and the input length. Although some of the protocols presented in 
this paper are efficient, our main focus here is in the existence of protocols for 
the described tasks. We leave for future work improvement of their efficiency. 
Finally, due to lack of space, we present only sketches of security proofs. 


2 Parity 

Protocol n implements the parity function and is essentially the same as the 
dining cryptographers protocol |Cha88] , with the addition of a simultaneous 
broadcast channel. Note that if we used a broadcast channel instead, then the 
last participant to speak would have the unfair advantage of being able to adapt 
his input in order to fix the outcome of the protocol! 


Protocol 1. Parity 
Input: Xi € {0, 1} 

Output: yt = x\ © X2 © • ■ • © x n 
Broadcast type: simultaneous broadcast 

Achieved functionality: 

1) (Correctness) If the protocol does not abort, the output is the same as in the ideal 
functionality. 

2) (Privacy) No adversary can learn more than the output of the ideal functionality. 
Each participant i does the following: 

1. Select uniformly at random an n-bit string rt = r}rj . . .r" with Hamming weight 
of parity Xi. 

2. Send rf to participant j using the private channel; keep bit r\ to yourself. 

3. Compute Zi, the parity of the sum of all the bits received, including r\. 

4. Use the simultaneous broadcast channel to announce %. 

5. After the simultaneous broadcast is finished, compute y,. = 0(' =1 Zk- This is the 
outcome of the protocol. If the simultaneous broadcast fails, abort the protocol. 


Correctness and privacy follows from |( Tia,88j . Thus, any adversary can learn 
only what can be deduced from the corrupt participant’s inputs and the out- 
come of the protocol. Note that this means that the adversary can deduce the 
parity of the inputs of the other participants. We will later use the two simple 
observations that there is no way to cheat except by refusing to broadcast and 
that any value that is broadcast is consistent with a choice of valid inputs. In 
the following protocols, we will adapt step 0] of the parity protocol to make 
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it relevant to the scenario, this will allow us to remove the assumption of the 
simultaneous broadcast. We will also use the fact that if a single participant 
either does not broadcast, or broadcasts a random bit in step 0| then the value 
of the output of parity is known to this participant, but is perfectly hidden to 
all other participants. 

3 Veto 

In this section, we build on the parity protocol to give a protocol for the secure 
implementation of the veto function, which computes the logical OR of the 
participant’s inputs (Protocol I3). As noted in Lemma 0 the protocol achieves a 
variant of the ideal functionality: any participant can passively learn the value 
of the logical OR of all other participants’ inputs. This deviation from the ideal 
functionality is unavoidable since the two-participant ideal scenario is impossible 
to implement in our model. We will use this deviation in the collision detection 
protocol of Section El 


Protocol 2. Veto 
Input: Xi € (0, 1} 

Output: t/i=iiVi2V"-Vx„ 

Broadcast type: regular broadcast 
Achieved functionality: 

1) (Reliability) No participant can make the protocol abort. 

2) (Correctness) The outcome of the protocol is the outcome of the ideal functionality. 

3) (Privacy) Any adversary learns the logical OR of the other participants’ inputs but 
nothing more. 

The n participants agree on n orderings such that each ordering has a different last 

participant. 

result <— 0 

For each ordering, 

Repeat s times: 

1. Each participant i sets the value of p, in the following way: if :a m 0 then p, = 0; 
otherwise, Pi = 1 with probability \ and Pi = 0 with complimentary probability. 

2. The participants execute the parity protocol with inputs pi,P2, ■ ■ ■ Pn , with the 
exception that the simultaneous broadcast is replaced by a regular broadcast with 
the participants broadcasting according to the current ordering (if any participant 
refuses to broadcast, set the value result <— 1). If the outcome of parity is 1, then 
set result <— 1 . 

Output the value result. 


Lemma 1 (Reliability). No participant can make the veto protocol abort. 

Proof. If a participant refuses to broadcast, it is assumed that the output of the 
protocol is 1. □ 


416 A. Broadbent and A. Tapp 


Lemma 2 (Correctness). If all participants in the veto protocol have input 
Xi = 0, then the protocol achieves the ideal functionality with probability 1. If 
there exists a participant with input Xi = 1 then the protocol is correct with 
probability at least 1 — 2~ s . 

Proof. The correctness follows by the properties of the parity protocol, with 
the difference that we now have a broadcast channel instead of a simultaneous 
broadcast channel. The case where all inputs are 0 is trivial. Let Xi = 1 and 
suppose that the protocol is executed until the ordering in which participant i 
speaks last. Then with probability at least 1 — 2~ s , in step El of veto, the output 
of the protocol will be set to 1. □ 

Lemma 3 (Privacy). In the veto protocol, the most an adversary can learn is 
the logical OR of the other participants ’ inputs. Additionally, this information is 
revealed, even to a passive adversary, with probability at least 1 — 2~ s . 

Proof. This follows from the properties of the parity protocol: for a given repeti- 
tion, the adversary learns the parity of the honest participants’ pf s, but nothing 
else. Because of the way that the pf s are chosen in step Q if for any repetition, 
this parity is odd, the adversary concludes that at least one honest participant 
has input 1, and otherwise if all repetitions yield 0, then the adversary concludes 
that with probability at least 1 — 2~ s , all the honest participant’s inputs are 0. 
In all cases, this is the only information that is revealed; clearly, it is revealed 
to any passive adversary, except with exponentially small probability. Note that 
this information could be learned in the ideal functionality by assigning to all 
corrupt participants the input 0. □ 

4 Vote 

The participants now wish to conduct an m-candidate vote. The idea of Proto- 
col 0 is simple. In the veto protocol, each participant with input 1 completely 
randomizes his input into the parity protocol, thus randomizing the output of 
parity. By flipping the output of parity with probability only 1/n, the prob- 
ability of the outcome being odd becomes a function of the number of such 
flips. Using repetition, this probability can be approximated to obtain the exact 
number of flips with exponentially small error probability. This can be used to 
compute the number of votes for each candidate. Unfortunately, a corrupt par- 
ticipant can randomize his bit with probability higher than 1/n, enabling him 
to vote more than once. But since a participant cannot derandomize the parity, 
he cannot vote less than zero times. Verifying that the sum of the votes equals n 
ensures that all participants vote exactly once. Note that the protocol we present 
is polynomial in m and not in the length of m. 

Lemma 4 (Correctness). If the vote does not abort, then there exists an input 
for each corrupt participant such that the output of the honest participants equals 
the output of the ideal functionality, except with probability exponentially small 
in s. 


Information-Theoretic Security Without an Honest Majority 417 


Protocol 3. Vote 
Input: Xi G {1, . . . ,m} 

Output: for k = 1 to m, y[k]i = |{xj | Xj = k}\ 

Broadcast type: simultaneous broadcast 

Achieved functionality: 

1) (Correctness) If the protocol does not abort, then there exists an input Xi for each 
corrupt participant such that the protocol achieves the ideal functionality. 

2) (Privacy) Even if the protocol aborts, no adversary can learn more that what it would 
have learned by setting in the ideal functionality Xi = 1 for all corrupt participants. 

Phase A 

For each candidate k = 1 to m, 

For j — 1 to s, 

1. Each participant i sets the value of pi in the following way: if Xi / k. then p, = 0; 
otherwise, pi = 1 with probability L and p% = 0 with complimentary probability. 

2. The participants execute the parity protocol to compute the parity of pi , p2 , . . • p n , 
but instead of broadcasting their output bit Zi, they store it as z[k] : [. 

Phase B 

All participants simultaneously broadcast z[k\\ ( j = 1, 2, . . . , s). If the simultaneous 
broadcast is not successful, the protocol aborts. 

Phase C 

To compute the tally, y[k]i, for each value k = 1 ...to, each participant sets: 
p[fc]^ = ©” = i z[k\l, cr[k\i = X)<=iPWj/ s and if there exists an integer v such that 
Hk\i~ Pv | <5^, 

where p v = | ((^2) — , then y[k]i = v . 

If for any k, no such value v exists, or if v[k\i 7^ n, the protocol aborts. 


Proof. If all participants are honest, the correctness of the protocol is derived 
from the Chernoff bound as explained in the Appendix. Assume now t corrupt 
participants. Since the parity protocol is perfect, the only place participant i can 
deviate from the protocol is by choosing p-i with an inappropriate probability. 
We first note that if the t corrupt participants actually transmit the correct 
number of private bits in phase A and broadcast the correct number of bits 
in phase B, then whatever they actually send is consistent with some global 
probability of flipping. 

We use again the fact that it is possible to randomize the parity but not to 
derandomize it: if the corrupt participants altogether flip with a probability not 
consistent with an integer number of votes, either the statistics will be incon- 
sistent, causing the protocol to abort, or we can interpret the results as being 
consistent with an integer amount of votes. If they flip with a probability con- 
sistent with an integer different than t, then each y[k)i will be assigned a value, 
but with probability exponentially close to 1, we will have J/[&]i 7^ n and 

the protocol will abort. □ 

Lemma 5 (Privacy). In the vote protocol, no adversary can learn more than 
what it would have learned by assigning to all corrupt participants the input 1 in 
the ideal functionality, and this even if the protocol aborts. 
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Proof. Assume that the first t participants are corrupt. No information is sent 
in phase A or phase C. We thus have to concentrate on phase B where the 
participants broadcast their information regarding each parity. For each execu- 
tion of parity, the adversary learns the parity of the honest participant’s values, 
Pt+i © Pt+2 © . . . © p n , but no information on these individual values is revealed. 
The adversary can thus only evaluate the probability with which the other parti- 
cipants have flipped the parity. But this information could be deduced from the 
output of the ideal functionality, for instance by fixing the corrupt participants’ 
inputs to 1. □ 

It is important to note that the above results do not exclude the possibility of an 
adversary causing the protocol to abort while still learning some information as 
stipulated in Lemma 0 This information could be used to adapt the behaviour 
of the adversary in a future execution of vote. 

In addition to the above theorems, it follows from the use of the simultane- 
ous broadcast channel that an adversary cannot act in a way that a corrupt 
participant’s vote depends an honest participant’s vote. In particular, it can- 
not duplicate an honest participant’s vote. We claim that our protocol provides 
ballot casting assurance and universal verifiability. This is straightforward from 
the fact that participants do not entrust any computation to a third party: they 
provide their own inputs and can verify that the final outcome is computed 
correctly. 


5 Anonymous Bit Transmission 

The anonymous bit transmission protocol enables a sender to privately and 
anonymously transmit one bit to a receiver of his choice. Protocol 01 actually 
deals with the usually problematic scenario of multiple anonymous senders in 
an original way: it allows an arbitrary number participants to act as anonymous 
senders, each one targeting any number of participants and sending them each a 
chosen private bit. Each participant is also simultaneously a potential receiver : 
at the end of the protocol, each participant has a private account of how many 
anonymous senders sent the bit 0 and how many sent the bit 1. Note that in 
our formalism for multiparty computation, the privacy of the inputs implies the 
anonymity of the senders and receivers. 

The security of the anonymous bit transmission protocol follows directly 
from the security of the vote and of the veto. Of course, the anonymous bit 
transmission also inherits the drawbacks of these protocols. More precisely we 
have the following: 

Lemma 6 (Correctness). The anonymous bit transmission protocol com- 
putes the correct output, except with exponentially small probability. 


Proof. If the protocol does not abort, by Lemmas 0 and 0J except with expo- 
nentially small probability, all bits are correctly transmitted. □ 
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Protocol 4. Anonymous Bit Transmission 
Input: x{ € {0, 1, _L}, (j = 1, 2, . . . , n) 

Output: Vi = (| {x ) | x ) = 0}|, \{xj | x) = 1}|) 

Broadcast type: regular broadcast 
Achieved functionality: 

1) (Correctness) If the protocol does not abort then the output of the protocol equals 
the output of the ideal functionality. 

2) (Privacy) The privacy is the same as in the ideal functionality. 

For each participant j, 

1. Execute the vote protocol with m = 3 as modified below. The three choices are: 
0, 1, or _L (abstain). Each participant i chooses his input to the vote according 
to x] , his choice of message to be sent anonymously to participant j. The vote 
protocol is modified such that: 

(a) The output strings are sent to participant j through the private channel. 

(b) Participant j computes the tally as in the vote and if this computation suc- 
ceeds, he finds out how many participants sent him a 0, how many sent him 
a 1 and how many abstained. If this occurs (and the results are consistent) he 
sets his success bit, Sj to 0. If the vote aborts, he sets Sj to 1. 

Execute the veto protocol, using as inputs the success bits Sj . If the output of veto 
is 0, then the anonymous bit transmission succeeds. Otherwise, the protocol fails. 


Lemma 7 (Privacy). In the anonymous bit transmission protocol, the pri- 
vacy is the same as in the ideal functionality. 

Proof. Each execution of the vote protocol provides perfect privacy, even if the 
protocol aborts. The final veto reveals some partial information about which 
honest participants have been targeted by corrupt participants, but this does 
not compromise the privacy of the protocol. □ 

In Protocol 01 the use of the private channel in step (a) can be removed and 
replaced by a broadcast channel. Since participant j does not broadcast, the 
messages remain private. Another modification of the protocol makes it possible 
to send m possible messages instead of just two but note that the complexity 
is polynomial in m and not in the length of m. The transmission of arbitrarily 
long strings is discussed in Sections 0 and El 

6 Collision Detection 

The collision detection protocol (Protocol EJ enables the participants to verify 
whether or not there is a single sender in the group. This will be used as a pro- 
cedure for the implementation of anonymous message transmission in Section El 
Ideally, a protocol to detect a collision would have as inputs only Xi G {0, 1}, 
with outputs in {0, 1,2}, depending on the sum of the inputs. Unfortunately we 
do not know how to achieve such a functionality; instead, we allow any partici- 
pant to choose to force output 2, which in our description, corresponds to using 
input value 2. 
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Protocol 5. Collision Detection 
Input: Xi € {0, 1, 2} 

Output: let r = J3”=i x i then j/i = min{r, 2} 

Broadcast type: regular broadcast 
Achieved functionality: 

1) (Reliability) No participant can make the protocol abort. 

2) (Correctness) The output of the protocol equals the output of the ideal functionality. 

3) (Privacy) An adversary cannot learn more than it could have learned by assigning 
to all corrupt participants the input 0 in the ideal functionality 

Veto A 

All participants perform the veto protocol with inputs mm{x t , 1}. As in Lemma 0 
the participants note the value of the logical OR of the other participants’ inputs. 

Veto B 

If the outcome of veto A is 0, skip this step. Otherwise, each participant with input 1 

in veto A will set bi = 1 if he detected in veto A that another participant had 

input 1, or if a :* = 2. All other participants set 6; = 0. Then all participants perform a 
second veto protocol with inputs bi. 

{ 0 if the outcome of veto A is 0 

1 if the outcome of veto A is 1 and the outcome of veto B is 0 

2 if the outcome of veto A is 1 and the outcome of veto B is 1 


Lemma 8 (Reliability). No participant can make the collision detection pro- 
tocol abort. 

Proof. This follows from the reliability of veto. □ 

Lemma 9 (Correctness). In the collision detection protocol, the output equals 
the output of the ideal functionality (except with exponentially small probability) . 

Proof. This follows from the correctness of the veto protocol. There are only 
two ways a corrupt participant can deviate from the protocol. First, participant i 
can set bi = 0 although Xi G {0, 1} and although in the first veto his input was 1 
and a collision was detected. The outcome of veto B will still be 1 since another 
participant with input 1 in veto A will input 1 in veto B. This is consistent with 
input Xi = 1. Second, participant i can set bi = 1 although x, = 0. If veto B is 
executed, then we know that another participant has input 1 in veto A. This is 
consistent with input Xi = 1. □ 

Note that we have raised a subtle deviation from the ideal protocol in the above 
proof: we showed how it is possible for a corrupt participant to set his input 
to 0 if all other participants have input 0 and to 1 otherwise. Fortunately, the 
protocol is still sufficiently good for the requirements of the following sections. 

Lemma 10 (Privacy). In the collision detection protocol, an adversary can- 
not learn more than it could have learned by assigning to all corrupt participants 
the input 0 in the ideal functionality. 

Proof. In each veto, an adversary can only learn whether or not there exists 
an honest participant with input 1. In all cases, this can be deduced from the 
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outcome of the ideal functionality by setting the input to be 0 for all corrupt 
participants. □ 

7 Notification 

In the notification protocol (ProtocolE!) , each participant chooses a list of other 
participants to notify. The output privately reveals to each participant whether 
or not he was notified, but no information on the number or origin of such 
notifications is revealed. Because participants are notified one after another, our 
protocol does not exclude adaptive behaviours. 


Protocol 6. Notification 
Input: Vj ^ i, x\ 6 {0, 1} 

Output: y t = S/^i x) 

Broadcast type: regular broadcast 
Achieved functionality: 

1) (Correctness) If the protocol does not abort then the output of the protocol equals 
the output of the ideal functionality. 

2) (Privacy) The privacy is the same as in the ideal functionality. 

For each participant v. 

Participant i sets yi <— 0. 

Repeat s times: 

1. Each participant j ^ i sets the value of pj in the following way: if a;'- = 0 then 
Pj = 0; otherwise, pj = 1 with probability \ and Pi = 0 with complimentary 
probability. Let Pi = 0. 

2. The participants execute the parity protocol with inputs pi,P2, ■ ■ ■ Pn , with the 
exception that participant i does not broadcast his value, and the simultaneous 
broadcast is replaced by a regular broadcast (if any participant refuses to broad- 
cast, abort). 

3. Participant i computes the outcome of parity, and if it is 1, yi *— 1 . 


Lemma 11. The notification protocol achieves privacy and except with expo- 
nentially small probability, the correct output is computed. 

Proof. Privacy and correctness are trivially deduced from properties of the par- 
ity protocol. □ 

8 Fixed Role Anonymous Message Transmission 

In Section 0 we presented an anonymous bit transmission protocol. The 
protocol easily generalizes to m messages, but the complexity of the protocol 
becomes polynomial in m. It is not clear how to modify the protocol to transmit 
a string of arbitrary length, while still allowing multiple senders and receivers. 
However, in the context where a single sender S is allowed, it is possible to 
implement a secure protocol for S to anonymously transmit a message to a 
single receiver R, which we call fixed role anonymous message transmission 
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(Protocol If the uniqueness condition on S and R is not satisfied, the protocol 
aborts. The protocol combines the use of the parity protocol with an algebraic 
manipulation detection code |CKP07| , which we present as Theorem Q Due to 
lack of space, the encoding and decoding algorithms, F and G, respectfully, 
are not repeated. For a less efficient algorithm that achieves a similar result, 
see |( TS0‘2| . 

Theorem 1 (JCEEqH)- There exists an efficient probabilistic encoding algo- 
rithm F and decoding algorithm G, where F : {0, l} m — > {0, i}"i+ 2 (iog(m)+« an ^ 
G : {0, i} m + 2 ( lo s( m )+ s ) _> {0, l} m } such that for all w, G(F(w)) = w, and 

any fixed combination of bit flips applied to w' = F{w) produces a w" such that 
G(w")tmJL, except with probability 2~ s . 


Protocol 7. Fixed Role Anonymous Message Transmission 
Oracle: The sender S and receiver R know their identity 
Input: S has input w €. {0, l} m , all other players have no input 
Output: R has output w. all other players have no output 
Broadcast type: regular broadcast 
Achieved functionality: 

1) (Correctness) If the protocol does not abort, R obtains the correct message. 

2) (Privacy) The only information that can be learned through the protocol is for R 

3) (Oracle) If the oracle conditions are not satisfied (in the sense that more than one 
honest participant believes to be the sender or the receiver), the protocol will abort. 

1. S computes w' = F(w) 

2. The participants execute m + 2(log(m) + s) rounds of the parity protocol, with 
participants using a broadcast instead of a simultaneous broadcast and using the 
following inputs: 

(a) S uses as input the bits of w' . 

(b) R uses as input the bits of a random m-bit string, r. 

(c) All other players use 0 as input for each round. 

3. Let d be the output of the rounds of parity. R computes w" = d © r. 

4. R computes y = G(w"). 

5. A veto is performed: all players input 0 except R who inputs 1 if y sjL, and 0 
otherwise. 

If the outcome of veto is 1, the protocol aborts. Otherwise, R sets his output to y. 


Lemma 12 (Correctness, Privacy, Oracle). In the fixed role anonymous 
message transmission protocol, the probability that R obtains as output a 
corrupt message is exponentially small. The protocol is perfectly private, and if 
the oracle conditions are not satisfied, it will abort (except with exponentially 
small probability). 

Proof. Because of the properties of parity and the fact that the receiver broad- 
casts a random bit, we have perfect privacy. Correctness is a direct consequence 
of Theorem n Finally, if more than one participant acts as a sender or receiver, 
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then again by Theorem 0 the message will not be faithfully transmitted and the 
protocol will abort in step 0 except with exponentially small probability. □ 
Theorem 2. For a fixed security parameter, the fixed role anonymous mes- 
sage transmission protocol is asymptotically optimal. 

Proof. For any protocol to preserve the anonymity of the sender and the receiver, 
each player must sent at least one bit to every other player for each bit of the 
message. In the fixed role anonymous message transmission protocol, for 
a fixed s, each player actually sends 0(1) bits to each other player and therefore 
the protocol is asymptotically optimal. □ 

9 Anonymous Message Transmission 

Our final protocol allows a sender to anonymously transmit message to a receiver 
of his choosing. Contrary to the fixed role anonymous message transmis- 
sion protocol of Section 0 anonymous message transmission (Protocol 0 ) 
does not suppose that there is a single sender, but instead, it deals with poten- 
tial collisions (or lack of any sender at all) by producing the outputs COLLISION 
or No Transmission. The only deviation from the ideal functionality in the 
protocol is that a single participant can force the Collision output. Note again 
that in this protocol, the privacy of the input implies anonymity of the sender 
and receiver. 


Protocol 8. Anonymous Message Transmission 

Input: Xi =T or Xi = (r,w) where r € {1, . . . ,n} and w € {0, l} m 

Output: If \{xi \ Xi t 4_L}[ = 0 then yi = No Transmission and if \{xi \ Xi ^_L}| > 1 

then yi = Collision. Otherwise let S be such that xs = ( r , w) then all yi =T except 

Vr = W. 

Broadcast type: regular broadcast 
Achieved functionality: 

1) (Correctness) The output equals the output of the ideal functionality except that a 
single participant can make the protocol produce the output Collision. 

2) (Privacy) The privacy is the same as in the ideal functionality. 

1. The participants execute the collision detection protocol; participants who have 
input Xi =T use input 0 while all others use input 1. If the outcome of collision 
detection is 1, continue, otherwise output No Transmission if the output is 0 
and Collision if the output is 2. 

2. Let the sender S be the unique participant with xs /T. The participants execute 
the notification protocol, with S using input x r s = 1 and x : ‘ s = 0 otherwise. All 
other participants use the input bits 0. Let R be the participant who computes as 
output yR as 1. If the notification protocol fails, abort. 

3. The participants execute the fixed role anonymous message transmission 
protocol. 


Lemma 13 (Correctness). In the anonymous message transmission 
protocol, the output equals the output of the ideal functionality except with 
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exponentially small probability. The only exception is that a single participant 
can make the protocol produce the output Collision. 

Proof. This follows easily from the correctness of the collision detection, no- 
tification and fixed role anonymous message transmission protocols. □ 

Lemma 14 (Privacy). The anonymity of the sender and receiver are perfect. If 
the protocol succeeds, except with exponentially small probability, participant r is 
the only participant who knows w. 

Proof. Perfect anonymity follows from the privacy of the collision detection, 
notification and anonymous message transmission protocols. If the sender 
successfully notifies the receiver in step El then the privacy of w is perfect. But 
with exponentially small probability, the receiver will not be correctly notified, 
and an adversary acting as the receiver will receive the message w. □ 

10 Conclusion 

We have given six multiparty protocols that are information-theoretically secure 
without any assumption on the number of honest participants. It would be in- 
teresting to see if the techniques we used can be applied to other multiparty 
functions or in other contexts. 

Our main goal was to prove the existence of several protocols in a model that 
does not make use of any strong hypotheses such as computational assumptions 
or an honest majority. This being said, all the presented protocols are reasonably 
efficient: they are all polynomial in terms of communication and computational 
complexity and in one case, asymptotically optimal. 
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A Proof of Correctness for Protocol |B1 

Lemma 15 (Correctness). If all participants are honest in Protocol 0 (vote), 
then the output is correct, except with probability exponentially small in s. 

Proof. We fix a value k and suppose that v participants have input x t = k. 
Thus we need to show that in the vote, y[k]i = v, except with probability 
exponentially small in s. 

We now give the intuition behind phase C of the vote. Let p v be the prob- 
ability that p[k]j = ®" =1 z[k}\ = 1. For v < n, we have po = 0, pi = I and 
p v +i = p v (l — i) + (1 — p v ) — . Solving this recurrence, we get 
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Thus, the idea of phase C of the vote is for the participants to approximate p v 
by computing a[k]i = Y^i=iP[k]j/ s - ^ the approximation is within of p v , 
then the outcome is y[k)i = v. We first show that if such a v exists, it is unique. 

Clearly, for v < n, we have that p v +i > p v . We also have lim n _*ac, p n = 1 ~ 
Thus the difference between p v +\ and p v is: 

P.+1 -P, =P» (l - ^ +(1 -p)t -J>„ (2) 

= (3 ) 

Hence if such a v exists, it is unique. We now show that except with probability 
exponentially small in s, the correct v will be chosen. Let X = be 

the sum of the s executions of parity, with ji = sp v the expected value of X. 
The participants have computed a[k]i = X/s . 

By the Chernoff bound, for any 0 < 8 < 1, 

Pr[X < (1 - <5)/z] < exp(-/x<$ 2 /2) (4) 

Let 6 = 2e ^np v • We have 

Pr|JC -' , “5s 1<exp( - sdtrJ (5) 

and so 

(8) 

Similarly, still by the Chernoff bound, for any 8 < 2e — 1, 

Pr[X > (1 + 6)/x] < exp(— p8 2 /i) (7) 

Let 8 = 2e ^npv an< 4 we get 

Pr[x>p+ 2p; ]<exp( i6P^: ) (8) 

and so 

PtP[t], - > A-] < expfjj^-) (9) 

Hence the protocol produces the correct value for y[k]i, except with probability 

exponentially small in s. □ 
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Abstract. The black-box field (BBF) extraction problem is, for a given 
field F, to determine a secret field element hidden in a black-box which 
allows to add and multiply values in F in the box and which reports 
only equalities of elements in the box. This problem is of cryptographic 
interest for two reasons. First, for F = F p it corresponds to the generic 
reduction of the discrete logarithm problem to the computational Diffie- 
Hellman problem in a group of prime order p. Second, an efficient 
solution to the BBF extraction problem proves the inexistence of field- 
homomorphic one-way permutations whose realization is an interesting 
open problem in algebra-based cryptography. BBFs are also of indepen- 
dent interest in computational algebra. 

In the previous literature BBFs had only been considered for the prime 
field case. In this paper we consider a generalization of the extraction 
problem to BBFs that axe extension fields. More precisely we discuss the 
representation problem defined as follows: For given generators gi , . . . , ga 
algebraically generating a BBF and an additional element x, all hidden 
in a black-box, express x algebraically in terms of gi, . . . . g,i- We give an 
efficient algorithm for this representation problem and related problems 
for fields with small characteristic (e.g. F = F 2 ™ for some n). We also 
consider extension fields of large characteristic and show how to reduce 
the representation problem to the extraction problem for the underlying 
prime field. 

These results imply the inexistence of field-homomorphic (as opposed 
to only group-homomorphic, like RSA) one-way permutations for fields 
of small characteristic. 

Keywords: Black-box fields, generic algorithms, homomorphic encryp- 
tion, one-way permutations, computational algebra. 

1 Introduction 

1.1 Black-Boxes and Generic Algorithms 

Algebraic structures like groups, rings, and fields, and algorithms on them, play 
a crucial role in cryptography. In order to compute in an algebraic structure one 
needs a representation of its elements, for instance as bitstrings. Algorithms that 
do not exploit any property of the representation are called generic. The concept 
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of generic algorithms is of interest for two reasons. First, generic algorithms can 
be used no matter how the structure is represented, and second, this model 
allows for significant lower bound proofs for certain computational problems. 
For instance, Shoup |Sho97| proved a lower bound on the complexity of any 
generic algorithm for computing discrete logarithms in a finite cyclic group. 

Representation- independent algorithms on a given algebraic structure S are 
best modeled by a black-box fBS84l 1BB991 IMa.nOfij . which initially contains some 
elements of S, describing an instance of the computational problem under con- 
sideration. The black-box accepts instructions to perform the operation(s) of S 
on the values stored in it. The (internal) values are stored in addressable registers 
and the result of an operation is stored in a new register. The values stored in 
the black-box are hidden and the only information about these values provided 
to the outside (an hence to the algorithm) are equalities of stored elements. This 
models that there is no (need for a) representation of values but that nevertheless 
one can compute on given values. The equality check provided by the black-box 
models the trivial property of any (unique) representation that equality is easily 
checked Q 

A basic problem in this setting is the extraction problem : The black-box con- 
tains a secret value x (and possibly also some constants), and the task of the 
algorithm is to compute x (explicitly). 

For example, a cyclic group of prime order p is modeled by a black-box where 
S is the additive group Z p (and which can be assumed to contain the constants 0 
and 1 corresponding to the neutral element and the generator, respectively). The 
discrete logarithm problem is the extraction problem for this black-box. Shoup’s 
result implies that no algorithm can extract x (if uniformly chosen) with fewer 
than 0{- s /p) expected operations. Actually, this many operations are required 
in expectation to provoke a single collision in the black-box, which is necessary 
for the algorithm to obtain any information about the content of the black-box. 
Both the baby-step giant-step algorithm and the Pohlig-Hellman algorithm are 
generic algorithm which can be described and analyzed in this model. 


1.2 Black-Box Fields and Known Results 

If one assumes in the above setting that the black-box not only allows addition 
but also multiplication of values modulo p, then this corresponds to a black-box 
field (BBF). 

An efficient (non-uniform) algorithm for the extraction problem in F p was 
proposed in jMauiMj (see also jMW99| h where non-uniform means that the al- 
gorithm depends on p or, equivalently, obtains a help-string that depends on p. 
Moreover, the existence of the help-string, which is actually the description of 
an elliptic curve of smooth order over F p , depends on a plausible but unproven 
number-theoretic conjecture. 


1 Note that this model is simpler than Shoup’s model which assumes a random rep- 
resentation. 
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Boneh and Lipton |BL9d| proposed a similar but uniform algorithm for the 
extraction problem in F p , but its running time is subexponential and the analysis 
also relies on a related unproven number-theoretic conjecture. 

1.3 Black-Box Extention Fields 

Prime fields differ significantly from extension fields, which is relevant in the 
context of this paper: 

In contrast to an extension field F p fe (for k > 1), a prime field F p is generated 
by any non-zero element (for instance 1). Hence there is a unique isomorphism 
between any two instantiations of ¥ p that is given by mapping the 1 of the first 
instance to the 1 of the second. In particular, there is a unique isomorphism 
between a BBF over F p and any explicit representation of F p . Therefore in an 
explicit representation there exists a unique element corresponding to a secret 
value x inside the black-box, and the extraction problem as stated above is well 
defined. 

As an extension field F p * (for k > 1) contains non-zero elements that do 
not algebraically generate the entire field, it is not sufficient to give a secret 
value x inside the black box in order to describe an arbitrary extension field. 
Rather, the field must be given by a set of elements (generators) in the black-box 
algebraically generating the field. A vector space basis of F p * over F p would be 
a natural choice, but our goal is to make no assumption whatsoever about how 
the given elements generate the field. 

Furthermore, extension fields F p fc (for k > 1) have non-trivial automorphisms, 
so there is no unique isomorphism between a black-box extension field and an 
explicit representation. Therefore the extraction problem as originally posed is 
not well defined for extension fields. We hence formulate a more general problem 
for extension fields, the representation problem: Write a secret x hidden inside 
the black-box as an algebraic expression in the other elements (generators) given 
in the black-box. 

When an explicit representation of the field is given outside of the black-box 
(say in terms of an irreducible polynomial of degree k over F p ), then one can also 
consider the problem of efficiently computing an isomorphism (and its inverse) 
between this explicitly given field and the BBF. 

1.4 Contributions of This Paper 

We present an efficient reduction of the representation problem for a finite black- 
box extension field to the extraction problem for the underlying prime field F p . If 
the characteristic p of the field in question is small, or if p is large but an efficient 
algorithm for the extraction problem for F p exists, then this yields an efficient 
algorithm for the representation problem for the extension field. Under their 
respective number-theoretic assumptions one can also use the results of j Man 941 

miTiiii irrwnni . 

Theorem 1 (informal). The representation problem for the finite black-box 
extension field Fb of characteristic p is efficiently reducible to the representation 
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problem for ¥ p . If the characteristic p is small (e.g. p = 2) then the representation 
problem for Fb is effciently solvable. 

Furthermore, our algorithms provide an efficiently computable isomorphism be- 
tween the black-box field and an explicitly represented (outside the black-box) 
isomorphic copy. If we are given preimages of the generators inside the black-box 
under some isomorphism from an explicitly represented field into the black-box 
or if the black-box allows inserting elements from an explicitly represented field, 
we may even efficiently extract any element from the black-box field, i.e., we 
can find the element corresponding to an x inside the black-box in the explicit 
representation. 

In particular, these results imply that any problem posed for a black-box field 
(of small characteristic) can efficiently be transformed into a problem for an 
explicit field and be solved there using unrestricted (representation-dependent) 
methods. For example, this implies that computing discrete logarithms in the 
multiplicative group over a finite field (of small characteristic) is not harder in 
the black-box setting than in the case where the field is given by an irreducible 
polynomial. 


1.5 Cryptographic Significance of Black-Box Fields 

A BBF F p can be viewed as a black-box group of prime order p , where the multi- 
plication operation of the field corresponds to a Diffie-Hellman oracle; therefore 
an efficient algorithm for the extraction problem for F p corresponds to an effi- 
cient generic reduction of the discrete logarithm problem to the computational 
Diffie-Hellman problem in any group of prime order p (see jMauH4j h So an ef- 
ficient algorithm for the extraction problem for F p provides a security proof for 
the Diffie-Hellman key agreement protocol |DH7fij in any group of order p for 
which the discrete logarithm problem is hardjj 

Boneh and Lipton |BI ;bfi| gave a second reason why the extraction problem 
is of interest in cryptography, namely to prove the inexistence of certain field- 
homomorphic encryption schemes. 

The RSA trapdoor one-way permutation defined by x x e (mod n) is group- 
homomorphic: the product of two ciphertexts x e and x' e is the ciphertext for 
their product: x e ■ x ,e = ( x ■ x') e . This algebraic property has proven enormously 
useful in many cryptographic protocols. However, this homomorphic property is 
only for one operation (i.e., for a group), and an open problem in cryptography 
is to devise a trapdoor one-way permutation that is field-homomorphic, i.e., for 
addition and for multiplication. Such a scheme would have applications in multi- 
party computation, computation with encrypted data (e.g. server-assisted com- 
putation), and possibly other areas in cryptography |SY Ybbl IALN871 M)om()2| . 

2 In this context it is not a problem that Maurer’s efficient algorithm |Man94| for 
the extraction problem for F p is non-uniform, because one can construct a Diffie- 
Hellman group of order p together with the help-string and hence the equivalence 
really holds. 
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A solution to the extraction problem for F p implies an equally efficient attack 
on any F p -homomorphic encryption scheme that permits checking the equality of 
two encrypted elements (which is for example true for any deterministic scheme). 
Indeed, a black-box field can be regarded as an idealized formulation of a field- 
homomorphic encryption scheme which allows for equality checks. Any algorithm 
that succeeds in recovering an “encrypted” element hidden inside the black- 
box will also break an encryption scheme that allows the same operations. In 
particular, an efficient algorithm for the extraction problem for F p implies the 
inexistence of a secure F p -hornornorphic one-way permutation. 

This generalizes naturally to the extension field case yielding the following 
corollary to Theorem [I] 

Corollary 1. For fields of small characteristic p (in particular for W 2 k) there are 
no secure field-homomorphic encryption schemes^ that permit equality checks. 
In particular, there are no field-homomorphic one-way permutations over such 
fields @ 

The same holds even for large characteristic p if we admit non-uniform adver- 
saries under the assumption of |Mau94l IMW99j . 

Beyond its cryptographic significance, the representation problem for black- 
box extension fields is of independent mathematical interest. The representation 
problem for groups, in particular black-box groups, has been extensively studied 
(BB33ESS1I, inciting interest in the representation problem for other algebraic 
black-box structures. 

2 The Representation Problem for Finite Black-Box 
Fields 

2.1 Preliminaries on Finite Fields 

We assume that the reader is familiar with the basic algebraic concepts of groups, 
rings, fields, and vector spaces and we summarize a few basic facts about finite 
fields. 

The cardinality of every finite field is a prime power, p k , where p is called 
the characteristic and k the extension degree. There exists a finite field for every 
prime p and every k. Finite fields of equal cardinality are isomorphic, i.e., for 
each cardinality p k there is up to isomorphism only one finite field, which allows 
one to refer to it just as F p k. 

3 In the public- key case we can efficiently recover the encrypted field element, in 
the private-key case this is only possible up to isomorphism, as we may have no 
knowledge of the plaintext field. 

4 One may be led to believe that field-homomorphic one-way permutations cannot 
exist, since a finite field has only a small number of automorphisms, which can be 
enumerated exhaustively. However, we assume the target field to be given as a black- 
box without explicit representation of the elements. As such it is a priori not clear 
how to find the preimage of a random element. 
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Prime fields F p (i.e., k = 1) are defined as Z p = {0, . . . ,p— 1} with addition and 
multiplication modulo p. An extension field F p k can be defined as the polynomial 
ring F P [X] modulo an irreducible polynomial rri(X) of degree k over F p . It hence 
consists of all polynomials of degree at most k — 1 with coefficients in F p . 

For every x £ F p fc, the p-fold sum of x (i.e., x + x + ■ ■ ■ + x with p terms), 
denoted px, is zero: px = 0. Moreover, x p -1 = 1 for all x ^ 0, as p k — 1 is the 
cardinality of the multiplicative group of F p *, , which is actually cyclic. 

An extension field F p k is a vector space over F p of dimension k. For appropriate 
g G F p fe there exist bases of the form (1, g. g 2 . . . . . g k ~ x ). The only automorphisms 
of a finite field F p k are the Frobenius automorphisms x i— > x <J ‘ for i = 0, . . . , k— 1. 
In particular, a prime field has no non-trivial automorphisms. 

For every l dividing k, there is a subfield F p i of F p *,. The trace function 
/^ p i '■ ~ > > defined as 

ir ? p k/? pt (°) = a(pte) > 

i = 0 

is a surjective and F p « -linear function |LMH7j . 

2.2 The Black-Box Model 

We make use of the abstract model of computation from |Man05| : A black- 
box field Fb is characterized by a black-box B which can store an (unbounded 
number of) values from some finite field F p & of known characteristic p but not 

necessarily known extension degree in internal registers Vo, Vi, V 2 , The first 

d + 1 of these registers hold the initial state I = [go, g-i .... . g,/} of the black-box. 
We require the size d + 1 of the initial state to be at most polynomial in log(|FB|). 

The black-box B provides the following interface: It takes as input a pair 
(i,j) of indices and a bit indicating whether addition or multiplication should 
be invoked. Then it performs the required operation on V) and Vj, stores the 
result in the next free register, say V(_, and reports all pairs of indices (to, n) 
such that V rn = V',, 0 

Since we only allow performing the field operations + and ■ on the values of the 
black box the black-box field Fb is by definition the field F B = F p [g 0 , g 1 ,. . .,g d ] 
generateqj by the elements go,gi,---,gd G F p * contained in the initial state 
/ = [go, gi, ■ ■ ■ , gd] of the black-box. 

A black-box field Fb is thus completely characterized by the 

— public values: characteristic^ p, size d+ 1 of the initial state, 

— secret values: initial state I = [go, <?i, ■ • ■ , gd\ (hidden inside the black-box) 


5 Alternatively, equality checks could also be modeled as an explicit operation which 
must be called with two indices. 

6 By F p [go, Si, • • • , Sri] we denote the field consisting of all polynomial expressions over 
F p in the generators ffo, ffi, ■ ■ ■ , ffd- 

7 If the characteristic p is small it need not be given but can be recovered in time 
O(yfp) using a modified Baby-Step-Giant-Step algorithm |Maii()5j . 
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This is probably the most basic yet complete way of describing a finite field. 
Observe that the field F p k , the elements of which the black-box can store, does 
not appear in the characterization. Since no algorithm can compute any value not 
expressible as an expression in the operators + and -, and the elements initially 
given inside the black-box, we can without loss of generality assume that k is 
such that F p k = Fb, where k is unknown, but can be efficiently computed as we 
shall see later. 

Also, the operations “additive inverse” and “multiplicative inverse” and the 
constants 0 and 1 need not be provided explicitly, since they can be computed 
efficiently given the characteristic p and the field size |Fb| = p k ' We can com- 
pute the additive inverse for an element a £ Fg as —a = (p — 1) a, and the 
multiplicative inverse is a -1 = aP ~ 2 . Furthermore, 1 = aP ~ l for any non-zero 
a and 0 = pa for any a. These expressions can be evaluated efficiently using 
square-and-multiply techniques. 

When discussing the complexity of algorithms on black-box fields, we count 
each invocation of the black-box as one step. Additionally we will take into 
account the runtime of computations not directly involving the black-box. 

We consider an algorithm to be efficient if it runs in time polynomial in the 
bit-size of a field element, log |Fb|0 

2.3 The Representation Problem and Related Problems 

We now turn to the problems we intend to solve. Let a characteristic p be 
given and let B be a black-box with initial state I = [x,gi, . . .ga) consisting 
of generators gi,.. .gd and a challenge x , where Fb = F p [x,gi, . . . <jy].We then 
consider the following problems: 

Definition 1 (Representability Problem, Representation Problem). We 

call x representable ( in the generators gi , . . . ga) if x £ ¥ p [g \ , . . . gd] ■ The problem 
of deciding whether x £ F p [<?i, . . . gf[ is called the representability problem. If x 
is representable, then finding a multi-variate polynomial q £ F p [Xl, . . . , Xf\ such 
that x = q(gi, ■ . ■ ,gd) is called the representation problem. 

We proceed to discuss two problems that are closely related to the representa- 
tion problem. First, we state a generalization of the extraction problem, defined 
in |Ma,n()5j . that is applicable to all finite black-box fields. To do so, we need 
to specify an isomorphism cj> from the black-box to some explicitly given field 
K. This is necessary for the extraction problem to be well-defined, because in 
contrast to prime fields there are many isomorphisms between two isomorphic 
extension fields. 

Definition 2 (Extraction Problem). Let K be an explicitly given field (e.g. 
by an irreducible polynomial) such that K = Fb- Let the images <^(31), . . . , (f>(gd) 

8 The requirement that the size d + 1 of the initial state be at most polynomial in 
log(|F B |) is imposed so that this makes sense. 
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of the generators < 71 , , ga under some isomorphism </> : Fb — » K be given. The 
extraction problem is to compute <p(x) El 

Remark 1. Note that an efficient solution to the representation problem implies 
an efficient solution to the extraction problem. The expression q(gi, . . . ,gd) re- 
turned as a solution to the representation problem can simply be evaluated 
over K, substituting <p(9i) for gi (i= 1 ..... d) , which yields </>(x): 

q^gf), . . . ,<f>(g d )) = </>(q(gi, ■ ■ - , go)) = <t>(x). 

Finally consider an efficient but representation-dependent algorithm A solving 
some problem Q on a finite field K (where the algorithm A requires for instance 
that the field K is given by an irreducible polynomial) . We are interested if the 
existence of such an algorithm A generally implies the existence of a generic 
algorithm for the problem Q of comparable efficiency. More specifically, we are 
interested in algorithms and <P~ l efficiently computing an arbitrary isomor- 
phism (£ : Fb —* K and its inverse yielding a generic solution <£ _1 o Ao <P 
to the problem Q. That is the algorithm <P maps an x £ Fb to K by solving the 
extraction problem with respect to (f). The inverse map ( P~ l on the other hand 
maps a field element x' £ K into the black box field Fb by means of construct- 
ing (fT l (x 1 ) from the generators inside the black-box using the field operations. 
These two algorithms can then be chained together with the original, represen- 
tation dependent algorithm A, yielding a black-box, representation independent 
algorithm Hence we consider the following problem: 

Definition 3 (Isomorphism Problem). Let K be an explicitly given field 
such that K = Fb- The isomorphism problem consists of computing an (ar- 
bitrary but fixed) isomorphism <p : Fb — > K and its inverse 0 _1 for arbitrary 
elements of K and Fa- 
in the following we will exhibit an efficient reduction from the representation 
problem for any finite field to the representation problem for the underlying 
prime field. Moreover, our solution to the representation problem will also yield 
an explicitly given field (by an irreducible polynomial) F p k = Fb with an efficient 
solution to the isomorphism problem for F p k and Fb- This allows to solve any 
problem posed on the black-box field Fb in the explicitly given field F p & using 
the corresponding algorithms. 


2.4 The Representation Problem for F 

First, we shall see that the representation, extraction and isomorphism problems 
are equivalent when the black-box field Fb is isomorphic to some prime field F p : 

9 The extraction problem also makes sense if the isomorphism <f> is given in another 
fashion. For example, the black-box might offer an operation that allows inserting 
elements from an explicitly given field K. This would for instance correspond to a 
field-homomorphic one-way permutation. 
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Lemma 1. Let Fb — F p be a BBF with initial state I = [x. g\, . . . , gf\ . Then 
the representation, extraction and isomorphism problems are efficiently reducible 
to one another. 

Proof. Note that there is a unique isomorphism <j> \ Fb — > F p . Furthermore, as 
Fb — F p , there must be a g* ^ 0 (i e {1, . . . , d}). This (ji can be efficiently found 
by checking the inequality gi + gi gi and the constant 1 can be efficiently 
computed inside the black-box as gf _1 using square-and- multiply techniques. 
Reduction extraction to representation: see Remark [U 

Reduction isomorphism to extraction: A solution to the extraction problem 
yields an efficient algorithm computing the isomorphism </>. The inverse <p~ l 
can be efficiently computed using square-and-multiply techniques, constructing 
c b~ 1 {a ) for a g F p as a sum of Is inside the black-box. This solves the isomor- 
phism problem. 

Reduction representation to isomorphism: A solution to the isomorphism 
problem yields an efficient algorithm computing the isomorphism <j>. Then we 
have </>(x)gf _ 1 as a solution to the representation problem. □ 

Note that solving the extraction problem for a black-box field Fb — F p with 
initial state V 1 = [x] amounts to solving the discrete logarithm problem for a 
group of order p (given as a black-box) for which a Diffie-Hellman oracle is given. 
The following results are known: 

Lemma 2 ( |Man94| b There exists a non-uniform algorithm that, under a 
(plausible) number-theoretic conjecture, solves the extraction (representation, 
isomorphism) problem for a black-box field Fb = F p in time polynomial mlog(p), 
and with a polynomial (in log(p),) amount of advice depending on p. 

Lemma 3 ((BL96J). There exists a (uniform) algorithm that, under a (plausi- 
ble) number-theoretic conjecture, solves the extraction (representation, isomor- 
phism) problem for a black-box field Fb = F p in time subexponential in log(p). 

For the remainder of this work we will only concern ourselves with reducing 
other problems to the representation problem for F p . The reader may generally 
assume that p is small, such that the representation problem for F p is easy to 
solve. 

2.5 The Representation Problem for F k for a Given F -Basis 

Before we proceed to the general case, we first investigate the simpler case where 
the initial state of the black-box B is I = [x, fei , . . . , bk], and b\, . . . , bk form a 
basis of Fb as F p -vector space. We efficiently reduce this problem to the repre- 
sentation problem for F p discussed in Section 12.41 

Lemma 4. The representation problem for a black-box field Fb of characteristic 
p with initial state I = [x, bi, . . . , bk], where bi,...,bk form an F p -basis of Fb, 
is efficiently reducible to the representation problem for F p . 
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Proof. The proof relies on the well-known dual basis theorem (see e.g. |LN97j i: 
For any F p -basis { 6 1 , . . . , bk} of ¥ p k there exists a dual basis {ci, . . . , Ck} with the 
property that tr F k /w p ( c i^j) = , where Sij designates the Kronecker-Delta. We 

calculate the dual basis {ci, . . . , Ck} for the basis {bi , . . . , bk} inside the black- 
box. This can be done efficiently as follows: 

We write the elements of the dual basis as Cj = Jfi-i a uh- Furthermore, 
let A = (au)i t i= i t ...,k be the coefficient matrix, B = (tr F h /w p {bibj}}i,^=i,...,k 
the trace matrix, and Ik the identity matrix. Then the definition of the dual 
basis yields a matrix equation AB = Ik- Traces can be computed efficiently 
inside the black-box using square-and-multiply techniques, so the trace matrix 
B can be efficiently computed inside the black-box. Since B always has full rank 
jEHng, the matrix equation AB = Ik can be solved for the an using Gaussian 
elimination (inside the box B). 

As the characteristic p and the exponent k are known, we can efficiently 
compute additive and multiplicative inverses (see Section EOll . Solving for the k 2 
unknowns in the matrix A using Gaussian elimination is efficient, and requires 
only field operations and equality checks. Hence it can be performed in the 
black-box and we can efficiently compute the dual basis elements c* inside the 
black-box. 

To represent the challenge x in the basis {bi, . . . ,bk}, we now calculate G = 
tr F k / Vp (cix) G F p inside the black-box and have x = by the dual 

basis property. We use an oracle O that solves the representation problem for F p 
(possibly instantiated according to Section 12. 411 to extract the G from the black 
box, obtaining the required representation of x in the given generators (basis) 

b k }. □ 

3 The Representation Problem for F for Arbitrary 
Generating Sets 

Now we turn to the general case, where a black-box field Fb of characteristic p is 
not necessarily given by a basis, but by an arbitrary generating set {gi, ■ ■ ■ , gd} 
which generates Fb as F p -algebra. 

3.1 Main Theorem 

Before we get to our main result, we first discuss the representability problem. 

Lemma 5. The representability problem for a black-box field Fb of characteris- 
tic p with initial state I = [x,gi, . . . ,gd] can be solved efficiently and the extension 
degree k such that Fb — F p & can be found efficiently. 

Proof. We need to determine efficiently whether x is representable in the genera- 
tors gi , . . . , ga and then find k such that F B = F p *> . To this end we first determine 
the size ki := k{gf) := |F p [g,] of the subfield F p [^] < F B of the black-box field 
F b generated by g t , for i = 1 ..... d. We have 

h ■= k(gf) = min{ j £ N : g t = gf } 


(1) 
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by the properties of the Frobenius homomorphism y i— » y p |LN!)7j . Eq. (0J can 
be evaluated efficiently using square-and-multiply. 

Now the field element x is representable in the generators gi,---,gd if and 
only if x G F p [g \ , . . . ,g d ) or, equivalently, F p [x] < F p [gx, • ■ ■ , g,i\ ■ But the field 
¥ p [gi, . . . , g d \ generated by gi,. . . ,g,i is isomorphic to the smallest field F pk > 
where k' = lcm ( =1 (k,)) that contains all the F p k 4 . Hence x is representable in 
the generators gi , ... ,gd if and only if k(x) \ k! . Moreover, independently of the 
representability of x we have k = lcm [k (x), k'). □ 

We can now state our main result, an efficient reduction from the representation 
problem for an extension field to the representation problem for the underlying 
prime field: 

Theorem 1. The representation problem for the black-box field Fb of charac- 
teristic p with initial state I = [x,g\, . . . ,gf\ (not necessarily a basis) such that x 
is representable in g\, . . . ,gd is efficiently reducible to the representation problem 
for F p . 

We shall see later that from this theorem we can also obtain efficient reductions 
of the extraction and isomorphism problems to the representation problem for 
the underlying prime field F p . 

3.2 Proof of Theorem 

By assumption, the challenge x is representable in the generators g\, . . . , g,i- We 
will show how to efficiently generate a F p -power-basis {g° , g 1 , . . . , g k ~ 1 } for Fb 
inside the black-box. The representation problem can then be efficiently reduced 
to the representation problem for F p using Lemma HP! 

Algorithm [0 returns an F p -power-basis for Fb by computing an element 
g £ Fb (a generator), such that F p [g] = F p k. To this end Algorithm G] iter- 
ates over the generators g % , . . . , cpu checking if the current g t is already con- 
tained in F p [g(] for the current oFl If not, Algorithm [Q invokes the algorithm 
combine_gen(f/, gf) to obtain a new g (which we call g' for now) such that 
®Viy] = F p [< 7 , gi]. Clearly, F p [g] = F p [#i, . . . , g r i] when the algorithm terminates, 
and hence { g ° , g 1 ,..., g k ~ x } is a F p -power-basis for F p [y, , . . . , g d ] = F B - 

As g is computed inside the black-box from the initially given generators 
gi,...,gd using only field operations, a representation q'{g\ • ■ • ■ , g c i) = g of g 

10 One might suspect that the {gi}i=i,...,d t j=i,... } k already generate Fb as anF p -vector 
space. However, this is not the case. As an example, take F 2 6 . Then we can find 
generators gi £ F 2 2 C F 2 e and <73 £ F 2 3 C F 2 e such that F 2 [< 72 ,ff 3 ] = F 2 e. But 
gl £ F 2 », so the F p -vector space V generated by {gj} has dimension dim F2 V < 
dim F2 F 2 2 + dimp 2 F 2 3 = 5 < 6 = dimp 2 F 2 6 . 

11 Note that the number of generators gi appearing in the representation of the gener- 
ator g (and thereby the representation of x ) could be reduced by considering only 
the generators gi corresponding to the maximal elements in the lattice formed by 
the ki under the divisibility relation (these suffice to generate the entire field Fb). 
For ease of exposition we do not do this. 
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Algorithm 1. Compute power-basis 
1: 9 := 1 
2: m:s*l 

3: for * = 1 to d do 

4: ki := fc(pi) := min{j £ N : g t = gf } 

5: if ki\m then 

6: m := lcm(m, ki) 

7: 3 := combine_gen(g',5 i ) 

8: end if 

9: end for 

10: return power basis {g°, g 1 , . . . , g k_1 } 


(and therefore of all basis elements) in the generators ffi , . . . , gd is known. Now 
Lemma El gives a representation q"(g°,g l , ■ ■ ■ , g fc_1 ) = x of the challenge x in 
the basis elements, so a representation q(gi, . . . , gd) = x of x in the generators 
gi , . . . , gd can be recovered by substitution: 

q(gi, ■ ■ • , gd) = g"(g°, g 1 , • ■ ■ , g k ~ x ) 

= q"{<I{gi, •••> gd)°, q\gi, ■■■, gd) 1 ,- ■ • , q'{gi, ■ ■ • ,3d) fc_1 ) 

Algorithm [I] is obviously efficient if the algorithm combine_gen is efficient. So, 
to complete the proof of Theorem 0 we only need to provide an algorithm 
combine_gen(a, 6 ) that, given two elements a. b £ Fb, efficiently computes a 
generator g such that F p [(/] = F p [a, b ]. 


Algorithm 2. combine^gen(a, b ) 

1: find k' a , k' b such that 


- k' a | k(a), k' b | k[b), 

- gcd(k' a , k' b ) = 1, 

- lcm(fc(,, k ' b ) = lcm(/c(a), k{b)) 


2: find a' G F p [a] and b' G F p [6] such that k(a') = k' a and k(b') = k' b 
3: return a' + b' 


Claim. Given two elements a, b G Fb, the algorithm combine_gen(a, b) efficiently 
computes a generator g such that F p [ 5 ] = F p [a, b ]. 

Proof. We analyze algorithm combine_gen(a, b) step by step: 

Step Q] can be performed in time polynomial in k (where p k = IF B |), and hence 
in log(|F B |), by factoring k(a) and k(b) (which both divide k). FI 

Step IB relies on the following lemma jLen()5| : 

12 Bach and Shallit [BS9HI Section 4.8] give a much more efficient algorithm for com- 
puting such values k' a , k' b of complexity 0((log/c(a)fc(6)) 2 ). 
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Lemma 6. Let M > L > K be a tower of finite fields and let b\, . . . ,b n be a 
K-basis of M. Then (tr^/n^i), . . . , tr M/L(b n )} contains a K-basis of L. 

Proof. From jLNH7l 2.23(iii)] we know that tr M / L : M — » L is L- linear and 
surjective. Hence for all d G L there exists an c £ M such that tr M / L (c) = d. 
Since b\,...,b n form a if -basis of M, the element c G M can be expressed as 
c = Y^i= 1 7 %b% where 7 i £ K (i- 1 , n). Hence using the L-linearity of tr M / L 
we have 


d = tr M / L (c) = tr M/i (^ 7 A) = ^ 7* tr M /i(^)- 
i=i |«l 

As we can represent every d £ L by a if-linear combination in {tr M / L (bi ) . . . . , 
t r M / L {b n )}, this set must contain a if-basis of L. □ 

As we know k' a and k(a) from Step 0 and using the fact that the elements 
{a’ 1 : i = 0, . . . , k{a) — 1} form an F p -basis of F p [a], we can compute the set 
{t r F p [a]/F k , (a z ) : i = 0, , k(a ) — 1} in time 0(k 3 log(p)), which contains by 
the lemma above an F p -basis of F pk ' a ■ 

The following claim is from |Bv7,(ih0TI Lemma 6.2]. For completeness we 
provide a short proof sketch. 

Claim. Any F p -basis of an extension field ¥ p t contains a basis element a' such 
that F p * = F p [a']. 

Proof (sketch). The F p -dimension of the span of all proper subfields of F p « can 
be computed by application of the inclusion-exclusion principle (first adding the 
dimensions of all maximal subfields, then subtracting the dimensions of their 
intersections, then adding the dimensions of the intersections of the intersec- 
tions, and so on). Using the Mobius function /x and the Euler function ip we 
can hence write the F p -dimension of the span of all proper subfields of F p c as 
— lA^/dfd = t — ip(£) < l. As the F p -dimension of the span of all proper 

subfields of F p * is smaller then the F p -dimension i of ¥ p e , there must be a basis 
element a' which is not contained in any proper subfield of F p « , and therefore 
F p * = F p [a 7 ]. □ 

By the claim above there is a basis element a', that generates F k j a , i.e. F k ’ n = 
F p [o'] : 


3 a' G {trjy^y^ (a*) : i = 0, . . . , k(a) - 1} : fc(a') = k' a . 


By checking this property for all candidate elements in {tr Fp [ 0 j/ F fc , (a*) : i = 
0, . . . , k(a) — 1 } we find the generator o' in time 0(k :i log(p)). Analogously we 
may determine b' such that k(b') = k' b . 
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Step Q To complete the analysis of the algorithm combine_gen(x, y), it remains 
to show that given a', b' from Step El we have F p [a! + //] = ¥ p [a. b}. Since 
lcm(fc(a / ), k{b')) = lcm(A;(a), k(b)) by StepQ we have Fpfa',!/] = F p [a, b], so it 
only remains to show that Fp[a' + b'] = Fp[a', b']. We have Fp[a', b '] = Fp[a', a' + 
b '] = Fp[a' + b', 6'] and gcd(fc(a'), k(b')) = 1 , therefore 

lcm(fc(a'), k(b')) = lcm (fc(a'), k(a' + b ')) = lcm(fc(a' + b'),k(b')) = k(a')k(b'). 

It is easy to see that then k(a' + b') = k{a')k{b') holds, and therefore F p [a! + b'} = 
Fp[a, b], as required. □ 


3.3 Implications of Theorem Q] 

From Theorem Hand Remark [I] we obtain the following corollary: 

Corollary 2. The extraction problem for any BBF Fb of characteristic p is 
efficiently reducible to the representation problem for F p . 

The extraction problem asks for the computation of an isomorphism (f> : Fb — ^ ► K. 
Note that the computation of dr 1 also reduces efficiently to the representation 
problem for F p , because we can efficiently obtain a power-basis {g°, g l . . . . , g k ~ l } 
inside the black-box, as in the proof of Theorem [I] From this basis we can then 
compute the basis {<^>(<7°), ■ ■ ■ , 0 (fl ,fc_1 )} for K. Hence the isomorphism 

(j)- 1 can be simply and efficiently computed by basis representation. 

Corollary 3. Let Fb be a BBF of characteristic p and K some explicitly given 
field (in the sense of then!) If ) such that K = Fb- Then the isomorphism problem 
for Fb and K can be efficiently reduced to the representation problem for F p . 

Proof. We show that it is possible to efficiently find a field K' = Fb that is 
explicitly given by an irreducible polynomial, such that the isomorphism problem 
for Fb and K' efficiently reduces to the representation problem for F p . The 
corollary then follows from |Lenbl| . which states that the isomorphism problem 
for two explicitly given finite fields can be solved efficiently. 

So, let an oracle O for the representation problem over F p be given. As in the 
proof of Theorem[I]we efficiently compute a power-basis {<7°, g 1 , . . . , g k ~ l } inside 
the black-box. By Lemma El we compute a representation q(g°,g 1 , ■ ■ ■ ,g k ~ 1 ) = 
gk 0 £ gk j n £} le basis elements. Note that the minimal polynomial f g £ F p [A] 
of g over ¥ p is then exactly f g (X) = X k - q(X°,X 1 , . . . ,X k ~ 1 ). Let K' = 
F p[X]/(f g ). Then the required isomorphisms (j) and </> _1 are efficiently given by 
basis representation. □ 

4 Conclusion 

We have shown that, given an efficient algorithm for the representation problem 
for Fp, we can solve the representability, representation, extraction and isomor- 
phism problems for a black-box extension field Fb — F p fc in polynomial time. 
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We achieve this by efficiently constructing (in the generators) an F p -power-basis 
{g°, g 1 , . . . , <7 fc_1 } for the black-box field Fb inside the black-box, which is inter- 
esting in its own right. 

For small characteristic p we can immediately solve the above problems ef- 
ficiently, as in this case solving the representation problem for F p (e.g. using 
Baby-Step-Giant-Step) is easy. 

As a consequence, field-homomorphic one-way permutations over fields of 
small characteristic p, in particular over F 2 fe , do not exist, because such a function 
would constitute an instantiation of a black-box fiekfd and could be efficiently 
inverted using the solution to the extraction problem given above. This implies 
that over fields of small characteristic there can be no field-homomorphic ana- 
logue to the group-homomorphic RSA encryption scheme, which constitutes a 
group-homomorphic trapdoor one-way permutation. 

For the same reason, even probabilistic field-homomorphic encryption sche- 
mes (both private-^ and public-key) over fields of small characteristic p, in 
particular over F 2 fe, cannot be realized, if they allow for checking the equality 
of elements. This is unfortunate because such schemes could have interesting 
applications in multi-party computation and computation with encrypted data 
(e.g. server-assisted computation) |SY Yfffll IAL1NI87I II )om()2| . For instance we 
might be interested in handing encrypted field elements to a computing facility 
and having it compute some (known) program on them. If the encryption per- 
mits equality checks, the computing facility can recover the field elements up to 
isomorphism. 

Furthermore, a polynomial-time solution to the isomorphism problem implies 
that any problem posed on a black-box field (i.e., computing discrete logarithms 
over the multiplicative group) can be efficiently transferred to an explicitly 
represented field, and be solved there using possibly representation-dependent 
algorithms (e.g. the number field sieve). The solution can then efficiently be 
transferred back to the black-box field. So any representation-dependent al- 
gorithm for finite fields is applicable (in the case of small characteristic) to 
black-box fields. For example, computing discrete logarithms in the multiplica- 
tive group over a finite field is no harder in the black-box setting than if the field 
is given explicitly by an irreducible polynomial. 

Of course these conclusions do apply not only to fields of small characteristic p, 
but to any scenario where we can efficiently solve the representation problem for 
the underlying prime field F p . Hence we obtain subexponential-time solutions 
to the above problems under a plausible number-theoretic conjecture applying 
the work of Boneh and Lipton |BI for solving the representation problem for 
F p . Furthermore we can, under a plausible number-theoretic conjecture, solve 


13 Instead of generators we have here the possibility to “insert” elements of an explicitly 
given field into the “black-box” of the image of the function. 

14 This result requires Theorem [Q whereas the results above already follow from Lemma 
0 Also, note that in the private-key case it is only possible to recover encrypted 
field elements up to isomorphism, as we may have no knowledge of the plaintext 
field. 
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the problems above efficiently, even for large characteristic p, if we are willing 
to admit non-uniform solutions (solutions that require a polynomial amount of 
advice depending on the characteristic p) using an algorithm by Maurer |Mau94j 
for solving the representation problem for F p . 

Compared to the case of small characteristic, the situation for fields of large 
characteristic is then more complex, because the only known efficient algorithm 
for solving the representation problem for F p is non-uniform | Man 941 IM W99I . 
i.e. it requires a help-string that depends on p. When considering homomorphic 
encryption and homomorphic one-way permutations, this means that our impos- 
sibility results hold for cases where a malicious party may fix the characteristic 
p. In this case the attacker can generate p along with the required help-string to 
break the scheme. On the other hand our impossibility results do not apply if 
the characteristic p cannot be determined by the attacker, for instance because 
it is generated by a trusted party. 

It remains an open problem to resolve this issue by providing an efficient 
uniform algorithm for the representation problem for F p , or by proving the 
inexistence thereof. 
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Abstract. In this paper we show a general transformation from any 
honest verifier statistical zero-knowledge argument to a concurrent sta- 
tistical zero- knowledge argument. Our transformation relies only on the 
existence of one-way functions. It is known that the existence of zero- 
knowledge systems for any non-trivial language implies one way func- 
tions. Hence our transformation unconditionally shows that concurrent 
statistical zero-knowledge arguments for a non-trivial language exist if 
and only if standalone secure statistical zero-knowledge arguments for 
that language exist. 

Further, applying our transformation to the recent statistical zero- 
knowledge argument system of Nguyen et al (STOC’06) yields the first 
concurrent statistical zero-knowledge argument system for all languages 
in NP from any one way function. 


1 Introduction 

Zero-knowledge proof systems were introduced by Goldwasser, Micali and Rack- 
off |GM R89j and have the remarkable property that they yield nothing except 
the validity of assertion being proved. Such protocols involve a prover, who tries 
to prove some assertion, and a verifier, who is trying to decide if he believes 
the assertion. A cheating prover may act maliciously by trying to prove a false 
statement; a cheating verifier may try to learn more than the validity of the 
statement being proved. The property that the verifier learns nothing (except 
the validity of the statement) is formalized as the zero-knowledge condition and 
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the property that the prover cannot prove a false statement is formalized as the 
soundness condition. 

Depending upon how strong we want the zero-knowledge property or the 
soundness property to be, we can define several different types of zero-knowledge 
systems. In statistical zero-knowledge , we require the zero-knowledge condition 
to hold even against an infinitely powerful cheating verifier. When we relax the 
zero-knowledge condition so that it need only hold against a probabilistic poly- 
nomial time cheating verifier, we get the so called computational zero-knowledge. 
Similarly, we can have zero-knowledge with either statistical soundness (known 
as zero-knowledge proof systems ) or just computational soundness (known as 
zero- knowledge argument systems ). 

It would be desirable to construct statistical zero-knowledge proof systems 
for all languages in NP. Unfortunately it was shown that such systems can only 
be obtained for languages in AMDcoAM fUll^S7l . and AMf'coAM cannot 
contain NP unless the polynomial hierarchy collapses. Thus if we want a zero- 
knowledge system for all language in NP, we can only have either statistical 
soundness or statistical zero-knowledge (but not both). 

The original definition of zero-knowledge considers protocols running alone 
in isolation. That is, we have a single prover interacting with a single verifier. 
The concurrent setting was introduced by Dwork et al fDJNSDiSj (see also jFeMlp 
with a motivation to construct zero-knowledge protocols for more realistic set- 
tings (such as when the protocols are to be executed over the Internet). In the 
concurrent setting, many protocol executions are run at the same time with pos- 
sibly a single prover simultaneously talking to many verifiers. The prover in this 
setting runs the risk of a coordinated attack from many different verifiers which 
interleave the execution of protocols and choose their responses to the prover 
based on each others’ messages. If a zero-knowledge protocol maintains its zero- 
knowledge property even in the concurrent setting, it is said to be concurrent 
zero-knowledge. 

Our Results. We give the first general transformation from any zero-knowledge 
system to concurrent zero-knowledge system that maintains the statistical zero- 
knowledge property of the system. Hence our compiler can be used to transform 
a computational zero-knowledge argument system into a concurrent computa- 
tional zero-knowledge argument system as well as a statistical zero-knowledge 
argument system into a concurrent statistical zero-knowledge argument system. 
Our transformation only relies on the existence of one-way functions. Further, it 
does not require that the original protocol be public coin. These properties sepa- 
rate it from the compiler in |M POSj , since the compiler in |M POSj was designed to 
maintain statistical soundness (whereas we deal with statistical zero-knowledge) 
and was designed to be very efficient (our transformation is polynomial time but 
we do not optimize for efficiency). Additionally, the compiler in |M PO.Sj relies on 
specific number theoretic assumptions. 

We would like to emphasize that our compiler only uses one-way functions. It is 
known that the existence of zero-knowledge systems for any non-trivial language 
implies one way functions |OW9d| . Hence our transformation unconditionally 
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shows that concurrent statistical zero-knowledge arguments for a non-trivial lan- 
guage exist if and only if standalone secure statistical zero-knowledge arguments 
for that language exist. This feature also allows us to achieve a main goal of 
ours: applying our transformation to the statistical zero-knowledge system from 
[INK )V()6j , we get the first concurrent statistical zero-knowledge argument system 
for an NP-complete language from any one-way function. 

Techniques. Here we describe our techniques at a high level. Our goal is to create 
a general compiler that will work for honest verifier statistical zero-knowledge 
arguments and turn them into concurrent statistical zero-knowledge arguments. 
We first use a modified version of the preamble from the concurrent zero knowl- 
edge protocol of [PRS02j . Using a preamble similar to [PRS02j enables us to have 
a verifier committed to his randomness for the run of the protocol and to give 
a strategy for a simulator that could extract that randomness in the concurrent 
setting. Thus we are be able to use a straight-line simulator after the preamble. 

The main technical challenges are to adapt the preamble of jPRMASj to work 
with an all-powerful verifier and to base the preamble solely on one-way func- 
tions. The proof of soundness in |PRS02j relies on the verifier using statistically 
hiding commitments to commit to its randomness. However using statistically 
hiding commitments during the preamble does not seem plausible in our setting 
even though (independent of this work) they have recently been constructed from 
one way functions [HR.07j . The main reason is that since we are dealing with 
statistical zero-knowledge, the verifier could potentially be all powerful. Thus 
all the commitments by the verifier to the prover should be statistically binding. 
Consequently, if the randomness of the verifier is not statistically hidden from the 
prover during the PRS preamble, it remains unclear how the proof of soundness 
would go through (even if the prover uses statistically hiding commitments). 

To overcome this problem, the verifier commits using statistically binding 
commitments based on one-way functions as it appears essential in our setting. 
However, the verifier never actually opens the commitment. Instead the verifier 
gives a (standalone secure computational) zero-knowledge proof that his message 
are consistent with the randomness committed to in the PRS preamble. Note 
that it is important that we use a zero-knowledge proof here since the verifier 
is all powerful. This idea enables us to prove that our transformation preserves 
the soundness of the underlying proof system. 

Furthermore, since we are transforming from an honest verifier statistical zero- 
knowledge argument into a concurrent statistical zero-knowledge argument, we 
need to find a way to relax the requirement that the verifier is honest. In order 
to achieve this goal, the randomness that the verifier uses is determined by 
a coin-flipping protocol between the prover and the verifier (instead of being 
chosen freely by the verifier alone). This is important for our proof of the zero- 
knowledge condition since our simulator for the underlying protocol will require 
verifier responses with correctly distributed randomness. Also, this technique 
combined with the trick of using zero-knowledge proofs from the verifier allows 
us to deal with private- coin protocols as well. 
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We are able to combine all of these ideas into a single compiler that lets us 
achieve our results. 


1.1 Related Work 

Statistical zero-knowledge arguments. In this paper, we will be examining statis- 
tical zero- knowledge arguments which were first introduced by |H( X 1881] . From 
the constructions of jtIMWHIL IB(fC88| it is clear that one main technique to 
construct statistical zero-knowledge arguments for any language in NP is to 
first construct statistically hiding commitments (and plug them into a standard 
protocol). 

Early constructions of statistically hiding commitments were built on specific 
number theoretic assumptions jhi( X JKHI IKK Kb()| . In |(4 Kbfij it was shown how 
to construct statistically hiding commitments from claw-free permutations; this 
was further reduced to any family of collision-resistant hash functions in |N Y89| . 

Naor et al |N()VYf)%| showed how to construct statistically hiding commit- 
ments from one way permutations. In |( )stmi lowb.sj it was shown that one 
could build a weak from of one-way functions from statistically hiding commit- 
ments. Thus one-way functions would be the minimal assumption needed to 
create statistically hiding commitments. Until recently, no further progress was 
made. Haitner et al IHHK+051 showed how to construct statistically hiding com- 
mitments from a one-way function that could approximate the pre-image size of 
points in the range. 

In a recent breakthrough work, Nguyen et al |N( ) V OBj were able to construct 
statistical zero- knowledge arguments from any one-way function for all languages 
in NP. They deviated from the traditional line of constructing statistically bind- 
ing commitments from one way functions. Instead they created a relaxed variant 
of statistically binding commitments from one-way functions first introduced by 
Nguyen and Vadhan jlN VOfij . Building on |MOVM| . Haitner and Reingold |MR07j 
recently constructed statistically hiding commitments from one way functions. 
We remark that |N()V()fi| serves as a critical component for our results. 

Concurrent zero-knowledge. The notion of concurrent zero knowledge was in- 
troduced by |DNSb8| (see also jFeiWlp who also gave a construction based on 
timing assumptions. Richardson and Kilian |RKfifi| exhibited a family of concur- 
rent zero-knowledge protocols for all languages in NP in the plain model. The 
analysis of the their protocol required that the protocol have a polynomial num- 
ber of rounds. This analysis was improved by Kilian and Petrank jKPfllj who 
showed that the protocol only required a poly-logarithmic number of rounds. 
Prabhkaran, Rosen, and Sahai introduced a variant of the protocol and reduced 
the number of rounds further to w(logn) rounds in |1'1!S02I . This is the protocol 
we will mainly use in our general compiler. 

In [MPOdj . Micciancio and Petrank give a general compiler to compile any 
public-coin honest verifier zero-knowledge proof system into a concurrent zero- 
knowledge proof system while incurring only an additional w(logn) rounds. This 
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reduction is based on perfectly hiding commitment schemes (having some ad- 
ditional special properties) based on the Decisional Diffie-Hellman assumption. 
These reductions do not however maintain the statistical zero-knowledge prop- 
erty. In other words, even if the original protocol is statistical zero-knowledge, 
the resulting protocol may not be. 


Concurrent statistical zero-knowledge. There has not been much work on con- 
current statistical zero-knowledge. In |M()SV()fl| . Micciancio et al show how to 
build concurrent statistical zero-knowledge proofs for a variety of problems un- 
conditionally, that is, without making any unproven complexity assumptions. 
However since these were statistical zero-knowledge proofs, their results could 
not include proofs for all languages in NP (unless NP is in AMficoAM and 
the polynomial hierarchy collapses). 


2 Preliminaries 

Statistical Difference. The statistical difference between two random variables 
X, Y taking values in a universe U is defined to be 

A(X, Y ) d = f max |Pr[W 6 S] - Pr[Y e S] | = ^ ^ |Pr[X = S] - Pr[Y = S] | 
' ScU xeu 

We say two distributions are statistically close if A(X, Y) is negligible. 

Definition 1 (Argument Systems ( jGolOlj D. An interactive protocol (P, V) 
is an argument (or computationally sound proof system) for a language L if the 
following three conditions hold: 

1. (Efficiency) P and V are computable in probabilistic polynomial time. 

2. (Completeness) If x £ L, then V outputs accept with probability at least 2/3 
after interacting with the honest prover P. 

3. (Soundness) If x 0 L, then for every nonuniform PPT adversarial prover 
P* , V outputs accept with probability at most 1/3. 

For an argument system (P, V), we define the following terms. If x G L, then the 
value that lower bounds the probability of V outputting accept after interacting 
with the honest prover P is called the completeness bound. Similarly, If x 
L, then the value that upper bounds the probability of V outputting accept 
after interacting with any nonuniform PPT adversarial prover P* is called the 
soundness error. 

We say that an argument system is public coin if all the messages sent by 
V are chosen uniformly at random, except for the final accept/reject message 
(which is computed as a deterministic function of the transcript). 
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Concurrent Zero-knowledge. We assume the conversation between the prover P 
and the verifiers V\. . .V n is of the form v \ , p-\ , V2.P2, • ■ ■ , Vt,Pt where each Vj 
is a messages sent to the prover from a verifier Vi j and the provers’ response 
is the message pj. We assume that there is an adversary A which controls the 
verifiers and the verifiers’ messages. The adversary will take as input the partial 
conversation so far, i.e., v%,p\ . . . i>k-Pk and output a pair (i. v) specifying that 
P will receive message v from verifier V % . The view of the adversary on input x 
will include the verifiers’ random tapes and all the messages exchanged between 
the prover and the verifiers. This view will be denoted by (P, A)(x). 

Definition 2. We say that an argument system (P, V) for a language L is statis- 
tical (resp., computational) black box concurrent zero-knowledge if there exists a 
probabilistic polynomial time oracle machine S (the simulator) such that for any 
unbounded (resp., probabilistic polynomial time) adversary A, the distributions 
(. P,A)(x ) and S A (x) are statistically close (resp., computationally indistinguish- 
able) for every string x in L. 

We call the statistical difference of these distributions the zero-knowledge error 
of the protocol. If we are dealing with computational indistinguishability, the 
probability that a probabilistic polynomial time adversary can distinguish these 
distributions is called the zero-knowledge error of the protocol as well. 

Honest Verifier. We say a proof system is an honest verifier proof system if the 
zero-knowledge property is guaranteed to hold only if the verifier acts according 
to the protocol. 

Note on Notation. We will use P(T, r) (resp., V (T, r)) to signify the correct next 
message of an honest P (resp., V) as per the protocol (P, V), given the random 
coins r and the interaction transcript T observed so far. Sometimes, the random 
coin r might be implicit (instead of being explicitly supplied as an input). 

3 Compiler Parts 

In this section, we give the different parts of the compiler in isolation before 
putting them together in the next section to give our full protocol. 


3.1 Underlying Zero-Knowledge Protocol 

We assume that as input to our compiler, we have an honest verifier statistical 
zero-knowledge argument system for some language L. This protocol will have 
a prover, a verifier, a completeness bound, a soundness error, a simulator, the 
number of rounds and a zero-knowledge error (denoted by P,V,e c ,e s ,S,t and 
e z respectively). We let Pi, ■ ■ ■ Pt denote the messages of the prover and v\, . . .Vt 
the messages of the verifier in a particular execution of the argument system. 
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3.2 Statistically Binding Commitments from Any OWF 

In our protocol, we shall use statistically binding commitments from any OWF. 
Building on techniques from |H 1 1 ,1 ,?)?)! . such commitments were constructed by 
Naor jNaoOlj . 

We denote such a commitment scheme by COM. We denote the probability of 
an all powerful adversary breaking the binding property of the scheme as &com- 
We denote the probability of a PPT adversary breaking the hiding property of 
the scheme as hcom- 

3.3 Computational Zero-Knowledge Proof Based on Any OWF for 
All of NP 

In our protocol, we shall use a computational zero-knowledge proof based on 
one-way functions for every language in NP with negligible soundness error 
and perfect completeness. One way to construct them is to create statistically 
binding commitments based on a OWF as stated earlier jTfTLLflfil INaofill . These 
commitments can then be used in the 3-colorability protocol of |CMW91| to 
give us a zero-knowledge proof for any language in NP. We can then repeat the 
protocol sequentially n 2 times (where n is the security parameter) to achieve 
negligible soundness error. We note that this protocol will also have perfect 
completeness. We denote the final protocol after the sequential repetitions as 
(P',V'). 

This protocol will have a prover, a verifier, a completeness bound, a statistical 
soundness error, a simulator, the number of rounds and a zero-knowledge error 
(denoted by P',V',e' c = 1, e! s . S', t! and e! z respectively). 


3.4 Preamble from PRS pftS02| 

In this subsection, we describe the preamble from jPRS02| and give its useful 
properties for our context. We note that [Jl K'M). K P01 j also have similar pream- 
bles (with round complexity higher than |PRS02j i which could be used for our 
purpose. 

The preamble of the PRS protocol is simple. Let n be the security parameter 
of the system and k be any super-logarithmic function in n. Let a be the bit 
string we wish to commit to and 7 be the length of a. We break a up into 
two random shares k 2 times. Let these shares be denoted by {of ^}^ = i and 
{ a iAie = 1 w ith a i £ © G \ £ = u for every i, £. The verifier will commit to these 
bits using COM with fresh randomness each time. The verifier then sends these 
k 2 commitments to the prover. This is then followed by k iterations where in 
the £th iteration, the prover sends a random fc-bit string bi = b\ t i , . . . , bk,e, and 
the verifier decommits to the commitments COM(<j*Y)) • ■ ■ > COM (cr^g). 

The goal of this protocol is to enable the simulator to be able to rewind and 
find the value a with high probability by following a fixed strategy. Since the 
verifier commitments are set after the first round, once we rewind the verifier, 
the simulator will have the opportunity to have the verifier open both the cr° 
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commitment and the cr 1 commitment. In the concurrent setting, rewinding a 
protocol can be difficult since one may rewind past the start of some other 
protocol in the system as observed by |DlNS98j . The remarkable property of this 
protocol is that there is a fixed rewinding strategy the simulator can use to 
get the value of cr, for every concurrent cheating verifier strategy V*, with high 
probability. 

We will follow {M( ISVflflj in formalizing the properties of the PRS preamble 
we need. Without loss of generality, assume that there are Q concurrent sessions. 
Recall that k is the number of rounds of the PRS preamble. 

We call the simulator for the PRS preamble CEC-Sim. CEC stands for 
concurrently-extractable commitments. CEC-Sim will have oracle access to Y* 
and will get the following inputs. 


- Commitments schemes COM = COM\ . COM 2 , ■ ■ . , COMq, where COM s 
is the commitment scheme used for session s. 

- Parameters 7 , k, n and Q, all given in unary. 

We also need to give the following definitions adapted from jMOSVOTSj : 

Definition 3 (Major Decommitment). A major decommitment is a re- 
veal after the PRS preamble in which V* reveals the opening of commitments 
{C'OM(o° e )}i i=1 and {COM(aj f)}* e _ 1 . P only accepts the major decommit- 
ment if: (a) all these openings are valid openings to the commitments in the 
transcript, and, (b) there exists a such that for all i,i, ^ = a. 

Definition 4 (Valid Commit Phase). For a transcript T of the commit phase 
interaction between P andY* , letT[s] denote the messages in session s. T[s] is 
a valid commit phase transcript if there exists a major decommitment D such 
that P(T[s],D)= accept. 


Definition 5 (Compatibility). Message M =(o, oW, crjj) is compatible with 

T[a] if 


2. 


There exist commitments COM s (ofj)[s] and COM s (a)j)[s] that are part of 
the transcript of the first message o}T[s]. 


Observe that if a message M=(er, cr(C, crC) is compatible with the transcript 
T[s], the cheating verifier can major-decommit to a message different from a 
only with probability at most &com- Thus we call cr the extracted message. 

Definition 6. A Simulator CEC — Sim ; v has the concurrent extraction prop- 
erty if for every interaction T it has with Y* , it also provides (on a sepa- 
rate output tape) an array of messages (Mi, M 2 , . . . , Mq) with the following 
property: 

For every session s G ( 1 , 2 ,..., Qj, ifT[s) is a valid commit phase transcript, 
then M s is compatible with T[s]. 
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A simulator that has the concurrently extractable property is also called a 
concurrently- extractable simulator. 

Using the simulation and rewinding techniques in |PH.S02j . we can obtain 
a concurrently-extractable simulator for the PRS preamble. Let (P,V*) denote 
the output of V* after concurrently interacting with P. Recall that V* is an 
unbounded adversary. 

Lemma 1 (implicit in fFKSOaf . adapted from IMPS V06f ). There exists a PPT 
concurrently-extractable simulator CEC-Sim with a fixed strategy SIMULATE 
such that for COM and all concurrent adversaries Y* , for settings of parameters 
o=poly(n), k = O(logn), and Q =poly(n), we have the ensembles 

| CEC-Sim v * (COM, 1 CT , l k , 1", 1 Q )| and j (P,V*)(COM, 1 CT , l fc , 1", 1 Q )| 

have statistical difference e, where e is negligible. 

4 The Compiler 

In this section, we discuss the compiler in detail. It takes as input an honest 
verifier statistical zero knowledge argument system (P, V ) and compiles it into a 
concurrent statistical zero knowledge argument system (P, Y) assuming the exis- 
tence of one way functions. The compiler uses statistically binding commitments 
and computational zero knowledge proofs as building blocks. Both of these can 
be constructed out of any one way function (H1LL99I KiMWOl] . 

The compiler is presented formally in Figure d Let R denote the uniform 
distribution. The verifier V first generates a random string r (i.e., r *— R). P 
and V then carry out the PRS preamble |PRSf)2| where V sets er to be r. 

Instead of using statistically hiding commitments as in the PRS preamble, 
we will use statistically binding commitments based on one way functions. This 
however causes a problem in the PRS soundness proof jPKS02j since the statis- 
tical hiding property of the commitments is used in an essential manner in the 
soundness proof! We resolve this problem later on. 

Once P and V have finished the PRS preamble, V gives a computational zero 
knowledge proof acting as P' in the system (P' , V') (constructed using a OWF as 
described in section EJ) . It proves that all the shares it committed to in the PRS 
preamble (first message) are “consistent” with r. In other words, r\ t 8 r( e = r 
for every i, i. The prover P then draws r' *— R and sends it to V. Now P and 
V will begin the supplied honest verifier statistical zero knowledge argument 
protocol (P, V) with some modifications. The random coins of the verifier V are 
fixed to be r ® r' r" . 

Let the protocol (P, V) have t rounds where one round involves a prover 
message followed by the verifier’s response. P and V interact as follows. In the 

1 For example, if the verifier uses computationally hiding commitments, a cheating 
prover could potentially create dependencies between his own commitments and the 
verifier challenge. 
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Common Input to P and ¥: {P,V),(P',V'),x, COM 

Compiler: 

1. V — > P: Generate r <— R. Using COM, commit to r and the shares 

( r i r <}M=aij{ r i,i}M=i sudl tllat r i,e ® r M = r for ever y M- 

2. For t = 1, ... k: 

(a) P -> V: Send & M , . . . , b k ,t Z- {0, l} fc . 

(b) ¥ — > P: Decommit to r\ , . . . , r^f . 

3. V •*-> P: Zero-knowledge proof (P', V') where V acts as P' and proves to P 
that r° e © rj( = r for every i,£ and that there exist valid openings to the 
commitments in the PRS preamble to rf^,rf e . If P accepts the 
zero-knowledge proof, the transcript of the commit phase is guaranteed to 
be a valid commit phase transcript. 

4. P-fV: send r' R. 

5. ¥ calculates r" r © r' 

6. For j = 1, . . . t: 

(a) P -> ¥: send P(Tf) = Pi . 

(b) ¥ -> P: send V{TY , r") = Vj. 

(c) ¥ <-> P: zero-knowledge proof (P', V ') where ¥ acts as P' and proves 
to P that there exist an r" such that r © r 1 = r" and V{Tj ,r") = Vj. 

7. ¥ — > P: send V(T,r ") = accept/reject. 


Fig. 1 . Compiler 


jth round, P calculates the next message pj of P on the transcript T? of the 
interaction so far. Transcript T,[' is defined to contain all the messages exchanged 
between P and V so far, i.e., Tf = (pi, ui, . . . ,Pj~i, Vj-i)- 

The verifier V receives pj from P. It will now calculate V’s response in the 
protocol (P,V) using randomness r" and Vs transcript Tj (= (T? ,pj)) of 
the interaction so far; we call this response Vj. Now V will act as the P' in the 
computational zero-knowledge proof system (P 1 , V'). 

V will prove that his response is indeed consistent with V acting on input 
TV and randomness r" . The statement being proven by V is in NP since it is 
possible to check the statement given the opening of the commitment to r. We 
are using the computational zero-knowledge proof here instead of just revealing 
the commitments to make our soundness proof go through. P acts as V ’ during 
this zero-knowledge proof. If the proof is accepted by V then P accepts Vj. 

Once these t rounds are complete, V accepts if and only if V would accept on 
the complete transcript T (=(T^ ,v t )). 


4.1 Parameters of the Compiler 

Let ( P , V) be an honest verifier zero-knowledge argument system with t rounds, 
e c completeness bound, e s soundness error, and e z zero-knowledge error. Let 
(P', V) be a computation zero-knowledge proof system with tJ rounds, e’ c com- 
pleteness bound, e’ s soundness error, and e’ z zero-knowledge error. Let e be the 
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value from Lemma □ that represents the statistical difference of a simulated run 
of the PRS preamble using SIMULATE from a real run against an arbitrary 
unbounded concurrent verifier strategy. Let k be the number of rounds in the 
PRS preamble. Let e p be the probability that the PRS preamble is accepted 
by the prover and the verifier if they are behaving honestly. Let COM be the 
commitment used in the PRS preamble. Let h c om be the probability of a PPT 
machine breaking the hiding property of COM and 6 C om be the probability of 
an all powerful adversary breaking the binding property of COM. Let S be the 
simulator for ( P , V) and § be a simulator for (P, V). 

We give the parameters that we obtain with our compiler in the following 
theorem. 

Theorem 1. Running the compiler given in Section^ on the argument system 
( P , V) results in a system (P, V) with the following properties. 

- The completeness bound of (P, V) is e p e c . 

- The soundness error of (P, V) is e s + ( k 2 h com + e' z )t. 

- The zero-knowledge error of the protocol is: 

A((V,V*)(x),§ Y *W) =e + e z + k 2 b CO m + e' s t 

Proof. The proof of each of the above claims is given below individually. 

Completeness. Suppose iM. Then the probability that the protocol is accepted 
by V is: 

Pr[(PRS is accepted) A ((P, V) is accepted) A (each execution of (P', V') is accepted)] = 
(e p )(e c )(ec) t 

Note that e' c is one since our protocol (P 1 , V') has perfect correctness. Thus 
we get the probability that the transformed protocol is accepted is (e p )(e c ). 

Soundness. Suppose x £ L and there exists an adversarial PPT prover P* that 
can get V to accept with non-negligible probability <j>. In other words, suppose 
(P,V) has non-negligible soundness error <j>. We will show how to use P* to 
build a machine D that breaks the soundness of the underlying zero-knowledge 
protocol (P, V). We give a formal description of D in Figure El 

D will use P* as follows. D runs P* and executes the PRS preamble interacting 
with it setting o to a random r. Now, D gives a computational zero knowledge 
proof to P* and receives r' as shown in Figure El It then runs the honest verifier 
machine V acting a cheating prover P* and trying to break the soundness of the 
system (P, V). 

In the jfth round, D receives pj from P* and sends it to V. V will respond to pj 
with Vj. Now D wants to be able to give Vj as his response to P* so as to be able 
to continue the protocol. However D needs his response to P* to be generated 
using randomness r©r' as per the protocol (P, V). D has already committed to r 
with a statistically binding commitment and thus can not necessarily decommit 
to a r such that Vj is consistent with r, r' and (P, V). 
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Common Input to D and V: x 

Auxiliary input to D: The cheating prover machine P* 

Description of D, a cheating prover for (P, V) 

1. D runs a copy of P*, acting as the verifier itself. 

2. D generates r *— R. It then interacts with P* to carry out the PRS 
preamble using r. 

3. D gives a zero knowledge proof (P', V') to P* proving that all the shares 
it committed to in the PRS preamble are consistent with r. 

4. D receives r' from P* 

5. For 

(a) D gets the message pj from P*. 

(b) D - V: pj. 

(c) V^D-.vj. 

(d) D uses the simulator S' of the system (P', V') and simulates a proof 
with P* that V[TJ, r © r') = vj. 


Fig. 2. D acting as a cheating prover for (P, V) 


However D does not have to decommit to r, but only needs to give a zero- 
knowledge proof that he has committed to a randomness r such that Vj is con- 
sistent with r, r 1 and (P. V). He can use the simulator of (P',V') to do this. 
Hence, D sends Vj to P* and simulates a zero knowledge proof of its correctness 
by rewinding P*. The probability that P* can differentiate between such a sim- 
ulated run and a real run can be analyzed using a simple hybrid argument. As 
we move from a real run to a simulated one, we construct the following hybrid. 
D acts as an honest V sending correct verifier messages v :j . However, instead 
of giving real zero knowledge proofs, D gives simulated proofs. In other words, 
although D would have the witness to the NP statement, it does not use it and 
instead simulates the zero knowledge proof. Clearly, the probability that P* can 
distinguish this hybrid from a real run is bounded by the zero-knowledge error 
(see section I2J) of (P' t V). Now, we move from the hybrid to the simulated run 
where, in the PRS preamble, D did not commit to a randomness which could 
explain his message Vj (but rather an unrelated randomness r). Hence, D would 
not necessarily possess the witness of his statement. 

Using the above hybrid argument, it can be shown that: 

Pr[P* can distinguish this simulation from a real rim] < 

Pr[P*can break the ZK condition of (P' . V')}+ 

Pr[P*can break any of the commitments during the PRS preamble] < 
k 2 h com + e' z 

P* will see t of these simulations from D. Thus we can use the union bound and 
get that the probability that P* will be able to distinguish any of the simulation 
from a real run is ( k 2 h com + e' z )t. 


456 V. Goyal et al. 


Now, V will only accept in the protocol if the internal V he is running accepts 
Pi,vi, . . . ,pt,v t . Recall that the probability that V accepts when interacting with 
P* is <p. Thus the probability that V will accept an interaction with D who is 
running P* can be computed as follows: 

Pr[Y accepts] > 

1 — Pr[(P* does distinguish) V (V does not accept)] > 

1 — (Pr[P* does distinguish] +Pr[V does not accept]) > 

1 - (( k 2 h com + e' z )t + (1 - <f>)) 

This value must be less than the soundness error of (P, V). Thus we get an 
upper bound on the soundness error of the compiled protocol 

<fi < e s + ( k 2 h com + e' z )t 

Note that if e s , h com , e' z are all negligible and t, k are at most polynomial, the 
soundness error of the compiled protocol will be negligible. 

Concurrent Statistical Zero-knowledge. Lets consider an arbitrary unbounded 
concurrent verifier strategy. Let V* be one of the verifiers representing a session 
in the concurrent verifier strategy. Given S, the simulator for the underlying 
protocol (P, V), we show how to construct a simulator S for the protocol (P, V). 
S will output a simulated transcript from a distribution which is only a negligible 
statistical distance from the distribution of the transcript of a real interaction. 
The simulator § is described formally in Figure 01 

§ will first run S, the simulator of the underlying protocol. § will act as 
the honest verifier oracle for S recording all the randomness that he uses as 
the oracle. After running S, S will have a transcript pi,vi, . . .pt,vt and the 
randomness f (used in creating the honest verifier responses V\ , . . ,v t ). This 
transcript pi, Vi, . . .p t , v t will be statistically close to a real run of (P, V). 

As shown in the figure, S then runs the concurrently extractable simulator 
CEC-Sim (or in other words, the PRS simulator) and recovers the committed 
randomness r* with probability at least (1 — e). Since the commitments that V* 
used during the PRS preamble are statistically binding, even an all powerful V* 
will not be able to change them except with negligible probability. We call this 
probability b com . After finishing the preamble, S will be a straightline simulator 
and will not rewind V* any further. 

§ will now give V* a string r' such that r* ®r' = f. Note that the distribution 
of r' will look completely uniform to V* since V* has no information about f. 

Now for each round of the protocol, the simulator will proceed as follows. 
In round j, S will give pj to V*. Since Y* has already committed to r*, it will 
now be forced use randomness r* © r' which is exactly r , . It will therefore be 
forced to respond with i)j, except of course with the probability that he can 
break either the binding property of the commitment or the soundness of the 
zero- knowledge proof (P',V'). Since we are using statistically binding commit- 
ments and a zero knowledge proof, the probability of an all powerful adversary 
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Input: V*, one of the verifiers in an arbitrary unbounded concurrent verifier 
strategy. 

The simulator § 

1. § acts as an honest verifier V and runs the simulator S of the argument 
system (P, V) on itself. § generates f R and uses it as randomness to 
interact with S. After the interaction, § gets as output the simulated 
transcript pi,vi, . . .ptVt- 

2. § runs a copy of V* 

3. § runs the concurrently extractable simulator CEC-Sim on V* . CEC-Sim 
executes the PRS preamble with V* and extracts its committed 
randomness r* . 

4. § carries out (P', V') with V* in which V* proves that all the shares it 
committed to in the PRS preamble are consistent with r* . 

5. § computes r' such that r* © r' = f and sends it to V* . 

6. For j — 1, t : 

(a) § sends pj to V* and receives V*’s response v'j. 

(b) § carries out (P',V') with V* in which V* proves that its response 
■O'- = K(T/, f). S aborts if fi' ± vj. 


Fig. 3. The simulator § for (P, V) 


breaking the binding property of the commitments or the soundness property of 
the (P 1 , V') is negligible. Thus the randomness that V* is forced to use will be 
f and his response will therefore be %)j, exactly as in the transcript created by 
S. If this is not the case, S aborts. 

We now analyze the probability of failure of the simulator S. From a union 
bound, we can directly bound this probability by analyzing the probability of all 
the events which may cause § to fail. The failure probability is upper bounded 
by: 

Pr[Output of S is not identically distributed to (P, V)} + 

Pr [CEC-Sim is unsuccessful in recovering r*] + 

Pr[V* breaks the binding property of any of the commitments] + 

Pr[V* breaks the soundness property of (P', V) for any of the executions] 

= e + e z + k 2 b C om + e! s t 

Thus zi((P,V*)(a;),S v ’^) = (e+ e z + k 2 b c om + e' s f) as claimed. 

Note that if e, e z , b c om, e! s are all negligible and t, k are at most polynomial, 
the simulated transcript will have negligible statistical difference from a real run 
of the protocol. 

4.2 Concurrent Statistical Zero-Knowledge Arguments from Any 
One Way Function 

In order to build concurrent statistical zero- knowledge arguments from a OWF, 
we need the following theorem implicit in |NOVf)fij . 
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Theorem 2. If one way functions exist, every language in NP has a public-coin 
statistical zero-knowledge argument system. 

We can now apply our compiler to the protocol of Nguyen et al |N()V(lfij to get 
the following corollary. 

Corollary 1. If one way functions exist, every language in NP has a concurrent 
statistical zero-knowledge argument system. 
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Abstract. We present the first protocol for the anonymous trans- 
mission of a quantum state that is information-theoretically secure 
against an active adversary, without any assumption on the number 
of corrupt participants. The anonymity of the sender and receiver, as 
well as the privacy of the quantum state, are perfectly protected except 
with exponentially small probability. Even though a single corrupt 
participant can cause the protocol to abort, the quantum state can 
only be destroyed with exponentially small probability: if the protocol 
succeeds, the state is transferred to the receiver and otherwise it remains 
in the hands of the sender (provided the receiver is honest) . 

Keywords: quantum cryptography, multiparty computation, anonym- 
ity, dining cryptographers. 


1 Introduction 

In David Chaum’s classic dining cryptographers scenario |Cha88] , a group of 
cryptographers is having dinner at a restaurant and it is the case that either 
one of them has anonymously paid the dinner bill or the NSA has paid. The 
task that the cryptographers wish to accomplish is to find out which of the two 
cases occurred, without revealing any additional information. The security of 
Chaum’s protocol does not rely on any computational assumption, but only on 
the cryptographers having access to pairwise private channels and to a broadcast 
channel. A simple extension to this protocol allows a single participant, say Alice, 
to broadcast a message to all the other participants in such a way that Alice’s 
identity is information-theoretically protected. 

But what if Alice wishes to send a private message to Bob (who is also sit- 
ting at the dinner table) , while ensuring the anonymity of both herself and of 
Bob? This task is called anonymous message transmission. As an instance of 
multiparty secure computation, such a protocol can be accomplished, assuming 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 460 4473,| 2007. 

© International Association for Cryptology Research 2007 


Anonymous Quantum Communication 461 


pairwise private channels and a broadcast channel, as long as a majority of par- 
ticipants are honest |KB89j . Recently, two of us |BT07j have given a protocol 
that requires pairwise private channels and a broadcast channel, and accom- 
plishes anonymous message transmission without any assumption on the num- 
ber of honest participants. The protocol, however, allows even a single corrupt 
participant to cause an abort. 

Our main contribution is to give the first information-theoretically secure pro- 
tocol for quantum anonymous transmission that tolerates any number of corrupt 
participants. That is, our protocol allows Alice to send a quantum message to 
Bob such that both Alice and Bob remain anonymous (no participant learns the 
identity of Alice — even if Bob is corrupt — and the identity of Bob remains known 
only to Alice), and the quantum message remains private (nothing about it leaks 
to participants other than Bob, unless of course Bob is corrupt). The anonymity 
of the sender and receiver, as well as the privacy of the quantum message, are 
perfect except with exponentially small probability, regardless of the behaviour 
of cheating parties, with no need to rely on any assumptions other than the avail- 
ability of a classical broadcast channel as well as private authenticated quantum 
channels between each pair of participants. Our protocol has features similar to 
the anonymous (classical) message transmission protocol mentioned above: we 
can tolerate an arbitrary number of corrupt participants, but any single corrupt 
participant can cause the protocol to abort. However, no private information can 
be obtained by making the protocol abort. 

Since Alice sends quantum information, we need to address a concern that did 
not exist in the context of classical anonymous message transmission: the state 
to be transmitted should never be destroyed even if the protocol aborts (unless 
the receiver is corrupt, since in that case he can follow honestly the protocol until 
the very end, and then destroy the successfully transmitted message!). Because 
of the no-cloning theorem jWZ82j . the sender cannot generally keep a backup 
copy of the message before entering the protocol. Nevertheless, we accomplish 
this safeguard as part of the main protocol with a simple and novel notion called 
fail-safe teleportation. This notion ensures that if something went wrong with 
the transmission of the state, its integrity is never at stake because the receiver 
can always teleport it back to the sender in a way that does not compromise 
anonymity. 

1.1 Anonymity 

Anonymity is a basic cryptographic concept whose goal is to hide the identity of 
the sender or receiver of a message (or both). It is different from, but often com- 
plementary to privacy, which ensures the confidentiality of a message. Examples 
of anonymous tasks include sending an anonymous letter to one’s love, using 
an email account with a pseudonym, accessing a web page through a trusted 
identity proxy server or blind reviewing of a conference paper. Three approaches 
to classical anonymity are generally considered. The first one requires the help 
of a trusted third party that forwards messages between participants without 
revealing the identity of the senders. Anonymizers |Boy97| IGGK+951 belong to 
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this class. The second approach uses chains of untrusted servers that randomize 
the ordering of messages. This reordering prevents an outside observer from link- 
ing the sender and the receiver of a particular message. The privacy of messages 
is generally assured by a public-key cryptosystem. Chaum’s MixNets jChaSlj are 
an instance of techniques using this approach. The third and last approach offers 
information-theoretic security, assuming resources such as a broadcast channel 
and pairwise private channels. Chaum’s dining cryptographers protocol |Cha88j 
is the archetypical example of a protocol in this category. 

1.2 Model 

In our model, we suppose that each pair of participants shares a private authen- 
ticated quantum channel, which means that a participant can send an authen- 
ticated private message (quantum or classical) to any other participant. Such a 
channel can be implemented if the participants share pairwise quantum channels 
as well as classical secret keys. An extra tool is given to the participants under 
the form of a (classical) broadcast channel. This channel guarantees that all par- 
ticipants receive the same message from a publicly known sender, and that the 
message is not modified while in transit. 

Two security models are generally considered in secure multiparty compu- 
tation: honest-but- curious and malicious. In the honest-but-curious model (also 
called semi-honest ), the participants are assumed to follow the protocol (thus be- 
ing honest) but at the same time record all the information they have seen during 
its execution (thus being curious). In this model, a protocol is said to be secure 
against a collusion of participants if, by pooling their data, these participants 
cannot learn more information than from their inputs and the output of the pro- 
tocol alone. In the malicious model, participants may actively cheat and deviate 
from the original prescription of the protocol. Cheaters can for instance try to 
learn information about the input of honest participants or tamper with the 
output of the protocol. Formal definitions can be found in Chapter 7 of |Gol()4| . 
Both these models are neatly encapsulated by considering a central entity called 
an adversary, which controls some of the participants, rendering them corrupt. 
The adversary is passive if the corrupt participants are honest-but-curious, and 
active if the corrupt participants are malicious. In this paper, we consider the 
case of an active adversary that chooses the set of corrupt participants before 
the execution of the protocol. 

In the scenario that we consider, within a group of n participants, the 
anonymous sender communicates a private quantum message to an anonymous 
receiver. The sender is unknown to all participants and the receiver is unknown 
to all participants except to the sender. We give the following definitions: 

Definition 1 (Sender Anonymity). A protocol achieves sender anonymity if 
it does not reveal any information concerning the identity of the sender to any 
adversary. An exception concerns the receiver ( or the adversary, if the receiver is 
corrupt), who may legitimately learn something about the identity of the sender 
by virtue of the contents of the transmitted message. 
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Note that in particular, if the sender is corrupt, a protocol vacuously achieves 
sender anonymity, and that sender anonymity requires that no adversary can 
learn the identity of the sender, even if the receiver is corrupt. 

Definition 2 (Receiver Anonymity). A protocol achieves receiver anonym- 
ity if it does not reveal any information concerning the identity of the receiver 
to any adversary beyond what could be legitimately learned by knowing for each 
corrupt participant whether or not he is the receiver. 

Note that in particular, if the sender or receiver is corrupt, a protocol vacuously 
achieves receiver anonymity. 

Definition 3 (Full Anonymity). A protocol achieves full anonymity if it does 
not reveal any information about the relation between the identity of the sender 
and receiver to any adversary beyond what could be legitimately learned by know- 
ing for each corrupt participant whether or not he is the receiver. 

Note that full anonymity implies sender and receiver anonymity and that if the 
sender is corrupt, a protocol vacuously achieves full anonymity. 

Remark. The asymmetry between the definitions of sender and receiver ano- 
nymity stems from the fact that, contrary to the sender, the receiver does not 
know at the onset of the protocol that such a role will be imparted upon him. 

In what follows, we are only interested in protocols that are unconditionally 
secure in the information-theoretic sense for the purpose of achieving full an- 
onymity. We place no limit on the number of corrupt participants. However, 
our protocol could abort if even a single corrupt participant deviates from the 
prescribed protocol. Even if the protocol aborts, full anonymity as well as mes- 
sage privacy are never compromised, except with exponentially small probability. 
Note that if we had some sort of guarantee that a strict majority of participants 
is honest, then anonymous quantum message transmission could be implemented 
as a special case of quantum secure multiparty computation 111 ( '(.1+051 . 

1.3 Anonymity in the Quantum World 

The first protocol based on quantum mechanics that allows the anonymous com- 
munication of classical information was proposed by P. Oscar Boykin |Boy02| . 
In the case of a quantum message, Matthias Christandl and Stephanie Wehner 
were first to define the concept of anonymous quantum message transmission 
and to give an explicit protocol for solving this task jWeh()4l IQWObj . but 
under the deus ex machina assumption that the n participants share ahead 
of time entangled state |+„) = ^ |0 ri ) + |l n ). (No mechanism is proposed 

to verify the validity of that state.) Under that assumption, their protocol is 
information-theoretically secure in terms of full anonymity, but malicious par- 
ticipants can alter the transmitted state in a way that will not be detected by 
the honest participants. 
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One key notion introduced in the paper of Christandl and Wehner is that 
of anonymous entanglement. Starting with the assumed n-party entangled 
state |+n), the sender and the receiver end up sharing a two-party entangled 
state I+ 2 }, better known as Bell State |^+) = ^j|00) + ^|11), provided the 
other parties follow the protocol honestly. This entanglement is anonymous 
because the sender has chosen with which other party (the receiver) he shares 
it, but the receiver has no information concerning the party with which he is 
entangled. Moreover, the other parties have no information concerning who are 
the two entangled parties (assuming the entangled parties are not corrupt). 

A first attempt to accomplish quantum message transmission in the pres- 
ence of an unlimited number of corrupt participants without assuming that 
a trusted state +„) is shared between the participants befo re the onset of 
the protocol was made by Jan Bouda and Josef Sprojcar |BS07| . but in 
a public-receiver model (the sender is anonymous but the receiver is pub- 
lic). The creation and distribution of a |+n) state is an important part of 
their protocol. From there, they attempt to establish semi-anonymous entan- 
glement (the identity of one of the entangled parties, the receiver, is pub- 
lic). However, careful analysis reveals that an active adversary can proceed 
in such a way that the probability that the protocol aborts becomes cor- 
related with the identity of the sender, thus compromising his anonymity. 
If the protocol requires the receiver to stay quiet in order not to reveal 
whether or not the protocol has succeeded, it is true that the anonymity of 
the sender is preserved. However, this is very different from the model usu- 
ally considered in secure multiparty computation, in which all the participants 
learn at the end of the protocol whether or not it has succeeded. More im- 
portantly, this approach makes it impossible to preserve the identity of the 
sender whenever the receiver is corrupt. Indeed, if we wanted to cope with 
a corrupt receiver and still preserve sender anonymity, this would require 
the need to hide from the receiver himself whether or not the protocol has 
succeeded. But if it were the case that the message itself (if received) did 
not convey any information on the success of the protocol, then it would mean 
that it is no more useful than a totally random state. Then, why bother send 
it at all? 

Our own protocol is also based on the establishment of anonymous entangle- 
ment between the sender and the receiver. However, compared to the protocol of 
Christandl and Wehner, we do not need to assume an a priori shared |+ n ) state 
and no malicious attempt at corrupting the intended final ( J> + ) state between the 
sender and the receiver can succeed (except with exponentially small probability) 
without causing an abort. It follows that the intended state will be transmitted 
faithfully unless the protocol aborts, in which case it will end up intact at the 
sender’s by virtue of fail-safe teleportation (unless the receiver is corrupt). Com- 
pared with the protocol of Bouda and Sprojcar, our receiver is anonymous and 
the identity of the sender and the receiver cannot be correlated with the proba- 
bility that the protocol aborts, allowing us to achieve full anonymity according 
to Definition 0 
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2 Toolbox 

We now survey the classical and quantum tools that are used in our main pro- 
tocol. Two of us recently developed several classical secure multiparty proto- 
cols ;HT07j ; we present below some of the relevant results, which will be used in 
the next section. All protocols assume pairwise authentic private classical chan- 
nels and a broadcast channel. They offer information-theoretic security and have 
polynomial complexity in the number of participants as well as in a security pa- 
rameter and, in the case of Theorem 0] in the number of bits in the transmitted 
message. In all cases, the expression “exponentially close to 1” or “exponentially 
small” means “exponentially in the security parameter” . We also review a key 
result from IIjCG+02l . 

Theorem 1 (Logical OR— | jBT07j l. There exists a secure multiparty protocol 
to compute the logical OR of the participants ’ input bits ( one bit per participant). 
If all participants are honest, the correct answer is computed, with probability 
exponentially close to 1. Misbehaving participants cannot cause the protocol to 
abort. (Any refusal to participate when expected will cause the output to be 1.) 
The only information an active adversary can learn through the protocol is if at 
least one honest participant has input 1. No information about the number of 
such participants or their identity is revealed. 

Theorem 2 (Collision Detection pBT07j h There exists a collision detection 

protocol in which each participant inputs a bit. Let r denote the number of Is 
among these input bits. The protocol has three possible outcomes corresponding 
to whether r = 0, r = 1 or r > 2. If all participants are honest, the correct value 
is computed with probability exponentially close to 1. No participant can make 
the protocol abort, and an adversary cannot learn more than it could have learned 
by assigning to all corrupt participants the input 0 and letting them follow the 
protocol faithfully. A single corrupt participant can cause the output correspond- 
ing to r > 2 regardless of the other inputs (even if all the other inputs are 0). 
Also, it is possible for a corrupt participant to set his input to 0 if all other par- 
ticipants have input 0 (producing an r = 0 output) and to 1 otherwise (producing 
an r > 2 output). No other form of cheating is possible. 

Although the collision detection protocol outlined above may look rather imper- 
fect, it is actually just as useful as the ideal protocol for our purpose. 

Theorem 3 (Notification }BT07j ). There exists a notification protocol in 
which participants can notify other participants of their choosing. Each player’s 
output is one private bit specifying if he has been notified at least once; this 
value is correctly computed with probability exponentially close to 1. This is the 
only information accessible through the protocol even in the case of an active 
adversary. 

According to |HT07j . it is possible in general to invoke the notification protocol 
even if multiple senders want to notify several receivers. However, in the spe- 
cific context of our use of this protocol for the purpose of anonymous quantum 
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message transmission, we forbid any honest participant to engage in the above 
notification protocol without having previously caused output “r = 1” in the col- 
lision detection protocol (Theorem|2|). Similarly, no honest participant S will ever 
engage in the anonymous message transmission protocol below unless he has ini- 
tially caused output “r = 1” in the collision detection protocol and has notified 
a single other participant R. 

Theorem 4 (Anonymous Message Transmission fHWzh . There exists an 
anonymous message transmission protocol in which a sender can transmit a clas- 
sical message to a receiver such that even in the presence of an active adversary, 
full anonymity is achieved and the privacy of the message is perfect. If all par- 
ticipants are honest then the message is transmitted perfectly. Any attempt by a 
corrupt participant to modify the message will cause the protocol to abort, except 
with exponentially small probability. 

In 2002, Howard Barnum, Claude Crepeau, Daniel Gottesman and Alain Tapp 
presented a non-interactive scheme for the authentication of quantum mes- 
sages IBCG+021 . The protocol also encrypts the quantum state to be transmitted 
and is information-theoretically secure. 

Theorem 5 (Quantum Authentication |BC ?G+02fl ). There exists an infor- 
mation-theoretically secure quantum authentication scheme to authenticate an 
arbitrary quantum message \ ip) of length m with an encoding circuit (called au- 
thenticate) and a decoding circuit (called decode) of size polynomial in m, which 
uses a random private key of length 2m + 2s + 1 and has authenticated mes- 
sage of length m + s. Let p the probability that the message is accepted. If the 
message is accepted then let q be the probability of obtaining outcome \if) when 
measuring in a basis containing \if). If the authenticated message is not modified, 
then p = q = 1. Otherwise, pq+ (1 — p) > 1 — ■ The protocol also perfectly 

preserves the privacy of the transmitted message. 

3 Protocol for Anonymous Quantum Message 
Transmission 

In this section, we describe and analyse our protocol for anonymous quantum 
message transmission. Our protocol allows an anonymous sender S to transmit 
an m-qubit message \if) to an anonymous receiver R. We assume a broadcast 
channel as well as an information-theoretically secure private and authenticated 
quantum channel between each pair of participants (which can also be used, of 
course, to transmit classical information). Our protocol achieves full anonymity 
and message privacy, except with exponentially small probability. The security 
proof for the protocol makes no assumption on the number of corrupt partici- 
pants, but a single corrupt participant can make the protocol abort. However, if 
the sender and the receiver are honest, the quantum message to be transmitted 
will only be lost with exponentially small probability. 
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Here is an informal description of the protocol. In the first step, the purely 
classical collision detection protocol of Theorem El is performed to establish that 
exactly one participant wants to send an anonymous quantum message. If this 
is not the case, the protocol aborts. In case it is found that more than one 
participant wants to speak, one might imagine alternative scenarios such as 
asking each one of them to decide at random whether or not to skip their turn 
and trying again the collision detection protocol until a single-sender occurrence 
occurs. This will reveal information on the number of honest would-be senders 
and may take too many trials if there are too many of them, so that more 
sophisticated solutions might need to be considered. (Further elaboration on 
this issue would go beyond the scope of this paper.) 

In the next two steps, the participants collaborate to establish multiple 
instances of a shared state |+ n ) = |0 ri ) + ^=|1"}. Then, the sender desig- 

nates a receiver by use of the notification protocol (Theorem OJ. 

If honest, the receiver will act differently from the other participants, but in 
a way that is indistinguishable, so that his anonymity is preserved. The shared 
instances of |+ n ) are then used to create anonymous entanglement between the 
sender and the receiver. However, the anonymous entanglement could be imper- 
fect if other participants misbehave. For this reason, the sender then creates a 
sufficient number of instances of Bell state r I >+ ) . The possibly imperfect anony- 
mous entanglement is used to teleport IBBC+91H an authenticated version of half 
of each <?+). If this first teleportation is successful, the sender uses this newly 
established perfect anonymous entanglement to teleport the quantum message 
itself. Our fail-safe quantum teleportation protocol ensures that unless the receiver 
is corrupt, the quantum message is never destroyed, except with exponentially 
small probability: either it is safely transmitted to the receiver, or it comes back 
intact at the sender’s. 

In more detail, all classical communication from the sender to the receiver 
is performed anonymously using the anonymous message transmission proto- 
col (Theorem HJ). To create anonymous entanglement, all participants must be 
involved. One participant (who is chosen arbitrarily, for instance the first par- 
ticipant in lexicographic order) creates a state |+„) and distributes one qubit to 
each participant, keeping one for himself. Of course, this participant could be 
corrupt, so that there is no guarantee that a proper |+„) has been distributed. 
Moreover, a corrupt distributor could send different states to different honest 
participants, in the hope that the future evolution of the protocol may depend 
on who is the sender and who is the receiver. Foiling this threat constitutes 
a key contribution of our protocol. For this reason, all participants verify this 
state without destroying it in the next step. If the verification succeeds, the state 
shared amongst all participants is guaranteed to be invariant under permutation 
of the honest participants (Lemma QJ, even though it could still not be a gen- 
uine |+ n ) state. This ensures full anonymity. Furthermore, the behaviour of the 
state |+ n ), when measured by all but two parties in the Hadamard basis, ensures 
correctness (unless it aborts) as shown in Theorems El and |H1 
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The full protocol is given as Protocol Q] where we denote by P the condi- 
tional phase change defined by P|0) = |0) and P|l) = — 11). Note that if two 
participants (such as the sender and the receiver) share an instance of Bell state 
\$-) = -h= 1 00) — 1 11), a single participant (such as the sender) can convert 

this to a |<£ + ) by locally applying the P operation. Note also that such a local 
operation (performed by the sender) has no detectable effect that could be mea- 
sured by the other participants (in particular the receiver), which ensures that 
the anonymity of the sender is not compromised. It is easy to see that Pro- 
tocol m has polynomial complexity in n (the number of participants), s (the 
security parameter) and m (the length of the message). 

Theorem 6 (Correctness). Assume all participants are honest in Protocol 0 
If more than one of them wishes to he a sender, this will be detected with probabil- 
ity exponentially close to 1 in the first step. Otherwise, the message is transmitted 
perfectly with probability exponentially close to 1, and the protocol can abort only 
with exponentially small probability. 

Proof. Even if all participants are honest, it is possible for collision detection or 
notification to produce an incorrect output (the notification protocol may also 
abort); however, this happens with exponentially small probability. 

To ensure correctness of the protocol, we only have to verify that S and R 
share a sufficient number of proper Bell states |^ + ) at the end of step 03 It is clear 


Protocol 1 . Anomi emission 

Let s be the security parameter and m be the length of quantum message \ip). All 
quantum communication is performed using the private authenticated quantum chan- 
nels. 


1. Multiple Sender Detection 

1.1 The collision detection protocol (Theorem E|) is used to determine if one and 
only one participant wants to be the sender. If not, the protocol aborts. 

2. Entanglement Distribution 

2.1 One arbitrarily designated participant creates 2 m+s instances of the state !+„) 
and sends one qubit of each instance to each participant, keeping one qubit of 
each instance for himself. 

3. Entanglement Verification 

For each of the 2m + s instances: 

3.1 Each participant makes n— 1 pseudo-copies of his qubit by applying a control- 
not with it as the source and a qubit initialized to |0) as the target. One such 
pseudo-copy is sent to every other participant. 

3.2 Each participant verifies that all the n qubits in his possession are in the 
subspace spanned by (|0 n ), |l n )}. 

3.3 Each participant broadcasts the outcome of the previous step. If any outcome 
is negative, the protocol aborts. 

3.4 Each participant resets n — 1 of his qubits to |0) by performing n — 1 control- 
not operations. These qubits are discarded and the one remaining is back to 
the state distributed at step El 
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Protocol 1. Anonymous Quantum Message Transmission (continued) 

4. Receiver Notification 

4.1 The participants execute the notification protocol (Theorem 0 in which only S 
notifies a single R. 

5. Anonymous Entanglement Generation 

For each of the 2m + s instances: 

5.1 All participants except S and R measure in the Hadamard basis the qubit that 
remains from step 0 

5.2 Each participant broadcasts the result of his measurement ( S and R broadcast 
two random dummy bits). 

5.3 S computes the parity of all the bits received during the previous step (except 
his own and that of R). 

5.4 If the parity is odd, S applies P, the conditional phase change, to his remaining 
qubit (the two qubits shared by S and R are now in Bell state \ ( P + )). 

6. Perfect Anonymous Entanglement 

6.1 S creates 2m instances of Bell state < ? + ). He keeps the first qubit of each pair; 
let p be the rest of the pairs. 

6.2 S creates a random classical key k of length 4m + 2s + 1, and computes p' = 
authenticate^, k). 

6.3 S performs a teleportation measurement on p' using the anonymous (4> + ) states 
generated during steps 00 

6.4 S uses the anonymous message transmission protocol (Theorem 0 to send k 
and the teleportation bits to R. 

6.5 R completes the teleportation and computes p = decode(p', k). If the decoding 
is successful, S and R share perfect anonymous entanglement (they share 2m 
instances of |$ + )). 

6.6 A logical OR is computed (Theorem 0 : all players input 0 except R, who 
inputs 1 if the authentication failed and 0 otherwise. If the outcome is 1, the 
protocol aborts. 

7. Fail-Safe Teleportation 

7.1 S teleports the state |^>) to R using the first m pairs generated in the previous 
step. The teleportation bits are anonymously transmitted to R (Theorem 0 . 
If the communication succeeds, R terminates the teleportation. 

7.2 A logical OR is performed (Theorem 0 : all players input 0 except R, who 
inputs 1 if the communication of the teleportation bits failed. If the outcome 
is 0, the protocol succeeds. Otherwise, S and R do the following: 

7.2.1 R performs a teleportation measurement using the remaining perfect 
anonymous entanglement to teleport back to S the quantum state re- 
sulting from partially failed step 01 . 

7.2.2 All participants broadcast 2m random bits, except R who broadcasts the 
teleportation bits from above. The protocol continues even if one of the 
participants refuses to broadcast. 

7.2.3 S reconstructs \ip) from his own teleportation bits from step 01 and R’s 
teleportation bits received from the broadcast. The protocol aborts. 


that at the end of step0 the participants share proper instances of state |+„) 
(since we are assuming in this theorem that they are honest). When S computes 
the parity of the measurement outcomes in step 0 this corresponds to the parity 
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of the measurement results in the Hadamard basis of the state |+„), where 
all but two qubits are measured. If the parity is even, S and R share \ ( I >+ ) 
and otherwise |$ _ ), which is corrected by the sender by the application of the 
conditional phase change P. □ 

The following Lemma is necessary in the proof of anonymity and privacy 
(Theorem 0). 

Lemma 1 (Invariance Under Permutation of Honest Participants). 
In Protocol QJ if step 0 succeeds, then the state of the system at the end of 
the step is: 

a|00 . ..0) H \ifo)c + flu • • • l)ff| Vh)c , (1) 

where H denotes the honest participants ’ subsystem, C denotes the corrupt par- 
ticipants’ subsystem, and a,/3€ C are such that |a| 2 + |/3| 2 = 1. 

Proof. In the entanglement verification step, each honest participant sends a 
pseudo-copy of his state to every other honest participant. Therefore, after a 
single honest participant verifies that his qubits are in the subspace spanned 
by (|0 n ), |1"}}, we are already ensured that if the entanglement verification suc- 
ceeds, the state will be of the form given above. Note that the corrupt partici- 
pants’ subsystem C could span more than t qubits since they can bring arbitrary 
ancillas into their cheating strategy. □ 

Theorem 7 (Anonymity and Privacy). Regardless of the number of corrupt 
participants and except with exponentially small probability, Protocol^ achieves 
full anonymity and privacy of the transmitted message \ip). 

Proof. We analyse the protocol step by step in order to prove the statement. 

By virtue of Theorem^ step0does not compromise the identity of the sender, 
and it involves neither the receiver nor the quantum state to be transmitted. 
Steps El and 0 are done without any reference to S or R and thus cannot com- 
promise their anonymity either. Furthermore, the state obtained at the end of 
step 0 (if it does not abort) cannot be specifically correlated with any honest par- 
ticipant even if some other participants are corrupt. More precisely, by Lemma0 
the state is invariant under any permutation of the honest participants. This is 
crucial for the anonymity and privacy of the rest of the protocol. In particular, 
it guarantees that the probability that the protocol aborts does not depend on 
the identity of S or R, or any relationship between them. We prove this below 
in the analysis of step 0 

The security of step 0 follows directly from the unconditional security of the 
notification protocol (Theorem 0). However, if S fails to notify R in step 0 (this 
happens with exponentially small probability), an adversary can surreptitiously 
take over the role of the honest receiver in the rest of the protocol without being 
detected. In that case, the adversary will violate the secrecy of the transmitted 
state, yet without compromising the sender and receiver anonymity beyond what 
can be learned by inspecting the illegitimately received state. 
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In step 0 anonymous entanglement is generated. No information is revealed to 
the adversary in this step since all communication is done by honest participants 
broadcasting random bits. 

For step El all communication is done using the anonymous message trans- 
mission protocol, which is secure according to Theorem El except in logical OR 
computation at the end, which reveals the success or failure of the authentica- 
tion part of the protocol. We now show that this last substep cannot reveal any 
information on the identity of S or R. This is because the success or failure of 
the authentication step is uncorrelated to the identity of S and R: by Lemma, |T] 
as far as the qubits are concerned, all honest participants are identical under 
permutation. Thus the adversary has no strategy that would allow him to deter- 
mine any information about the identity of S or R, or even about any relation 
between them. 

During step Q all the bits sent from S to R are randomly and uniformly 
distributed because they are the classical bits resulting from the teleportation 
protocol, therefore they do not reveal any information about the identity of S. 
A similar observation about the bits broadcast by R in the case that the very 
last part of the protocol is executed ensures that R and S remain anonymous. 

The privacy of the state | ip) in the case that S successfully notified R in step El 
(which happens with probability exponentially close to 1) is guaranteed by the 
basic properties of teleportation. □ 

Theorem 8 (Integrity). At the end of Protocol 1, if R is honest then the 
state | ip) is either in the possession of S or R, except with exponentially small 
probability. Furthermore, \if) can only stay with S if the protocol has aborted. 

Proof. If all participants are honest, then by Theorem El the state is in the pos- 
session of R except with exponentially small probability. Otherwise, the protocol 
might abort before step 0 in which case S still has \ip). If the protocol reaches 
step|3 due to the quantum authentication of step El S and R share 2m perfect 
Bell states <?+) (with probability exponentially close to 1), which are used for 
teleportation in step0 If the first step of the fail-safe teleportation fails, then S 
no longer has however, the last three substeps of the protocol will always 
succeed and S will reconstruct | %p) (provided R is honest). Furthermore, it fol- 
lows from the virtues of teleportation that if the protocol does not abort, the 
state is no longer with S. □ 

The reason why we specify in Theorem |H1 that R must be honest is that a 
corrupt R can destroy fy) by simply discarding it after having faithfully followed 
the entire protocol. There remains one subtlety to mention: a corrupt R could 
behave honestly until the last step. Then, he would input 1 in the logical OR 
computation to force S to accept the teleportation back of the state. At that 
point, the corrupt R could teleport back to S' a fake state. As a result, S would 
be fooled into thinking he still has custody of the original quantum state when, 
in fact, that state is in the hands of R. (In general, there will be no way for S 
to know that this has happened). 
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4 Conclusion and Discussion 

We have presented the first information-theoretically secure protocol for quan- 
tum communication between an anonymous sender and an anonymous receiver 
that tolerates an arbitrary number of corrupt participants. In particular, this 
means that no adversary can learn any information that will break the anonym- 
ity of the sender or receiver. Our protocol also provides perfect privacy for the 
quantum message and ensures that the quantum message is never destroyed, ex- 
cept with exponentially small probability. The drawback of our protocol is that 
any participant can disrupt the protocol and make it abort. 
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Abstract. This paper introduces a new paradigm to realize various types of cryp- 
tographic primitives such as authenticated key exchange and key encapsulation 
in the standard model under three standard assumptions: the decisional Diffie- 
Hellman (DDH) assumption, target collision resistant (TCR) hash functions and 
pseudo-random functions (PRFs). We propose the first (PKI-based) two-pass au- 
thenticated key exchange (AKE) protocol that is comparably as efficient as the ex- 
isting most efficient protocols like MQV and that is secure in the standard model 
(under these standard assumptions), while the existing efficient two-pass AKE 
protocols such as HMQV, NAXOS and CMQV are secure in the random oracle 
model. Our protocol is shown to be secure in the (currently) strongest security 
definition, the extended Canetti-Krawczyk (eCK) security definition introduced 
by LaMacchia, Lauter and Mityagin. This paper also proposes a CCA-secure key 
encapsulation mechanism (KEM) under these assumptions, which is almost as ef- 
ficient as the Kurosawa-Desmedt KEM. This scheme is also secure in a stronger 
security notion, the chosen public-key and ciphertext attack (CPCA) security. 

The proposed schemes in this paper are redundancy-free (or validity-check-free) 
and the implication is that combining them with redundancy-free symmetric en- 
cryption (DEM) will yield redundancy-free (e.g., MAC-free) CCA-secure hybrid 
encryption. 

1 Introduction 

The most common paradigm to design practical public-key cryptosystems secure in 
the standard model is to combine a trapdoor function (e.g., Diffie-Hellman or RSA 
function) and target collision resistance (TCR) hash functions, where the security is 
proven under a trapdoor function assumption (e.g., DDH or SRSA assumption) and the 
TCR hash function assumption. 

This paper introduces a new paradigm to design practical public-key cryptosystems, 
where a pseudo-random function (PRF) is employed in addition to a trapdoor function 
(DH) and target collision resistant (TCR) hash function. 

The concept of a PRF was introduced by Goldreich, Goldwasser and Micali 0, and 
has been shown to exist if and only if a one-way function exists 14151 . Therefore, the 
existence of a pseudo-random function is one of the weakest assumptions, and it is one 
of the most fundamental primitives in cryptography. 

Since a target collision resistant (TCR) hash function (and the slightly bit more gen- 
eral concept, the universal one-way hash function) have also been shown to exist if and 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 474-HS3I 2007. 
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only if a one-way function exists mu, TCR hash function and PRF are the same 
level of (the most) fundamental primitives in cryptography. In practice, a well-designed 
efficient hash function can be assumed to be a TCR hash function, and such a hash 
function with a random seed as a part of the input (or a keyed hash function) can be 
assumed to be a PRF. 

First, this paper presents a two-pass AKE protocol that offers the following 
properties: 

1. Its efficiency is comparable to those of MQV Q, HMQV 0 and CMQV O (the 
message size of our scheme is that of MQV plus the size of two group elements, 
and the computational complexity for a session of our scheme is around 3.3 group 
exponentiations, while that of MQV is around 2.2 group exponentiations), 

2. The assumption and model for its security proof are standard assumptions (DDH, 
TCR hash function and PRF) and standard model (not the random oracle model), 

3. Its underlying security definition is (currently) the strongest one, the extended 
Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and 
Mityagin 0, 

4. Its security proof reduction efficiency is better than those of previous protocols in 
the random oracle model. 

This paper also proposes a CCA-secure key encapsulation mechanism (KEM) under 
these assumptions, which is almost as efficient as the Kurosawa-Desmedt KEM 0. 
This scheme is also secure in a stronger security notion, the chosen public-key and 
ciphertext attack ( CPCA) security, in which an adversary, given a target public key pk* 
and ciphertext c*, is allowed to query a pair of public key pk and ciphertext c to the 
decryption oracle, which answers the adversary with the decrypted result of c by the 
secret key of pk. 

The proposed schemes in this paper are redundancy-free (or validity-check- free) and 
implies redundancy-free (e.g., MAC-free) CCA-secure hybrid encryption by combining 
with redundancy-free CCA-secure symmetric encryption (DEM). 

2 Preliminaries 

2.1 Notations 

N is the set of natural numbers and M is the set of real numbers. _L denotes a null string. 

A function / : N — > R is negligible in k, if for every constant c > 0, there exists 
integer n such that f(k) < k~ c for all k > n. Hereafter, we often use f(k) < e(k) to 
mean that / is negligible in k. 

When A is a probabilistic machine or algorithm, A(x) denotes the random variable 
of A’s output on input x. Then, y 3 A(x) denotes that y is randomly selected from 
A(x) according to its distribution. When a is a value, A(x') —> a denotes the event that 
A outputs a on input x. When A is a set, y A denotes that y is uniformly selected 
from A. When A is a value, y <— A denotes that y is set as A. 

In this paper, we consider that the underlying machines are uniform Turing machines. 
But it is easy to extend our results to non-uniform Turing machines. 
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2.2 The DDH Assumption 

Let A; be a security parameter and G be a group with security parameter k, where the 
order of G is prime p and \p\ = k. Let {G}fc be the set of group G with security 
parameter k. 

For all k e N we define the sets D and K as follows: 

B(fc) <- {(G, 01, 02,51,02) I G ^ {G}fc, ( 51 , 52 ) ^ G 2 ,a; ^ Z p } 

R(k) {(G,gi,g2,yi,y2) | G ^ {Gj^, (gi,g2, yi, 52) G 4 }. 

Let A be a probabilistic polynomial-time machine. For all k £ N, we define the DDH 
advantage of A as 

AdvDDH^(ife) «- |Pr[.A(l fc ,p}^l | p ^ B(jfe)] - Pr[^(l fe , p)-+l | p^R(jfe)]|. 

The DDH assumption for {G}fc £ N is: For any probabilistic polynomial-time adversary 
A, AdvDDH^(fc) is negligible in k. 

2.3 Pseudo-Random Function (PRF) 

Let k € N be a security parameter. A pseudo-random function (PRF) family F associ- 
ated with {SeedfcjfcgN, {Domfc}fc £ N and {Rng fc }fc e N specifies two items: 

- A family of random seeds {SeedfcjfcgN. 

- A family of pseudo-random functions indexed by k, £ Seed/c, a E,V 
Domfe, and 1Z «— Rng fc , where each such function Fk,z,T>,n ma p S an e i emen t of 
V to an element of 1Z. There must exist a deterministic polynomial-time algorithm 
that on input l k , a and p, outputs F k ’ s,T> ’ n (p). 

Let A° be a probabilistic polynomial-time machine with oracle access to O. For all 
k, we define 

AdvPRF F ,^(fc) <- \Pr[A F (l k ,V,U) -> 1] - Pr[A RF (l k ,V,H) 1]|, 

where S 4 Seed fc , a ^ S, V 4 Dom fe , 7 Z 4 Rng fc , F <- F^®*®** and RF : V — > 
TZ is a truly random function (Vp € T> RF{p) <3 1Z). 

F is a pseudo-random function (PRF) family if for any probabilistic polynomial-time 
adversary A, AdvPRFp^fc) is negligible in k. 

2.4 Target Collision Resistant (TCR) Hash Function 

Let k € N be a security parameter. A target collision resistant (TCR) hash function 
family H associated with {Domfe}*^ and { Rng fc }^ e n; specifies two items: 

- A family of key spaces indexed by k. Each such key space is a probability space 
on bit strings denoted by K H . There must exist a probabilistic polynomial-time 
algorithm whose output distribution on input l k is equal to KFR. 
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- A family of hash functions indexed by k,h<^~ KH k,T^> Dorn*., and 1Z Rng fc , 
where each such function maps an element of V to an element of 1Z. There 

must exist a deterministic polynomial-time algorithm that on input 1 k , h and p, 
outputs H 1 ^ D ’ R '{p). 

Let A be a probabilistic polynomial-time machine. For all k, we define 
AdvTCR H ,^(fc) <- 

Pr[p e D A p ± p* A H^’ K (p) = | p 4 A(l k , p\ h, V, 1Z)\, 

where V 3 Dom^. 1Z 3 Rng fc , p* V and h ^ KH*. H is a target collision resis- 
tance (TCR) hash function family if for any probabilistic polynomial-time adversary A, 
AdvTCRH,^(fc) is negligible in k. 

2.5 PKI-Based Authenticated Key Exchange (AKE) and the Extended 
Canetti-Krawczyk (eCK) Security Definition 

This section outlines the extended Canetti-Krawczyk (eCK) security definition for two 
pass PKI-based authenticated key exchange (AKE) protocols that was introduced by 
LaMacchia, Lauter and Mityagin 0, and follows the description in iTRll . 

In the eCK definition, we suppose there are n parties which are modeled as proba- 
bilistic polynomial-time Turing machines. We assume that some agreement on the com- 
mon parameters in the AKE protocol has been made among the parties before starting 
the protocol. The mechanism by which these parameters are selected is out of scope of 
the AKE protocol and the (eCK) security model. 

Each party has a static public-private key pair together with a certificate that binds 
the public key to that party. A (B) denotes the static public key A (E) of party A (B) 
together with a certificate. We do not assume that the certifying authority (CA) requires 
parties to prove possession of their static private keys, but we require that the CA verifies 
that the static public key of a party belongs to the domain of public keys. 

Here, two parties exchange static public keys A, B and ephemeral public keys X, Y ; 
the session key is obtained by combining A, B, X, Y and possibly session identities. 
A party A can be activated to execute an instance of the protocol called a session. 
Activation is made via an incoming message that has one of the following forms: ( A , B) 
or (B, A, X). If A was activated with (A, B), then A is called the session initiator, 
otherwise the session responder. Session initiator A creates ephemeral public-private 
key pair, ( X , x) and sends (B. A. X) to session responder B. B then creates ephemeral 
public-private key pair, (Y. y) and sends {A, B. X , Y) to A. 

The session of initiator A with responder B is identified via session identifier 
(A,B,X,Y), where A is said the owner of the session, and B the peer of the ses- 
sion. The session of responder B with initiator A is identified as (B, A, Y, X), where 
B is the owner, and A is the peer. Session (B. A, Y, X) is said a matching session 
of (A,B,X,Y). We say that a session is completed if its owner computes a 
session key. 
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The adversary M. is modeled as a probabilistic polynomial-time Turing machine 
and controls all communications. Parties submit outgoing messages to the adversary, 
who makes decisions about their delivery. The adversary presents parties with incoming 
messages via Send {message), thereby controlling the activation of sessions. In order to 
capture possible leakage of private information, adversary M. is allowed the following 
queries: 

- EphemeralKeyReveal(sid): The adversary obtains the ephemeral private key asso- 
ciated with session sid. 

- SessionKeyReveal(sid): The adversary obtains the session key for session sid, pro- 
vided that the session holds a session key. 

- StaticKeyReveal(pid): The adversary learns the static private key of party pid. 

- EstablishParty(pid): This query allows the adversary to register a static public key 
on behalf of a party. In this way the adversary totally controls that party. 

If a party pid is established by EstablishParty(pid) query issued by adversary M, 
then we call the party dishonest. If a party is not dishonest, we call the party honest. 

The aim of adversary M is to distinguish a session key from a random key. Formally, 
the adversary is allowed to make a special query Test(sid*), where sid* is called the 
target session. The adversary is then given with equal probability either the session key, 
K* , held by sid* or a random key, R* {0, l}^*! . The adversary wins the game if 
he guesses correctly whether the key is random or not. To define the game, we need the 
notion of fresh session as follows: 

Definition 1 (fresh session). Let sid be the session identifier of a completed session, 
owned by an honest party A with peer B, who is also honest. Let sid be the session 
identifier of the matching session of sid, if it exists. Define session sid to be “fresh” if 
none of the following conditions hold: 

- M issues a SessionKeyReveal(sid) query or a SessionKeyReveal(sid) query (if sid 
exists), 

- sid exists and M. makes either of the following queries: 
both StaticKeyReveal(.A) and EphemeralKeyReveal(sid), or 
both StaticKeyReveal(Z?) and EphemeralKeyReveal(sid), 

- sid does not exist and M. makes either of the following queries: 
both StaticKeyReveal(yl) and EphemeralKeyReveal(sid), or 
StaticKeyReveal (B). 

We are now ready to present the eCK security notion. 

Definition 2 (eCK security). Let K* be a session key of the target session sid* that 
shouldbe “fresh”, R* 4^- {0, 1}^ I, andb* ^ {0, 1}. As a reply to Test(sid*) query by 
M, K* is given to M. ifb* = 0; R* is given otherwise. Finally M. outputs b G {0, 1}. 
We define 


AdvAKEyot(fc) | Pr[6 = b*} — 1/2|. 
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A key exchange protocol is secure if the following conditions hold: 

- If two honest parties complete matching sessions, then they both compute the same 
session key (or both output indication of protocol failure). 

- For any probabilistic polynomial-time adversary M., AdvAKEx (A;) is negligible 
in k. 

This security definition is stronger than CK-security □ and it simultaneously captures 
all the known desirable security properties for authenticated key exchange including 
resistance to key-compromise impersonation attacks, weak perfect forward secrecy, and 
resilience to the leakage of ephemeral private keys. 

2.6 Key -Encapsulation Mechanism (KEM) 

A key encapsulation mechanism (KEM) scheme is the triple of algorithms, E = 
(K, E, D), where 

1 . K, the key generation algorithm, is a probabilistic polynomial time (PPT) algorithm 
that takes a security parameter k £ N (provided in unary) and returns a pair (pk, sk) 
of matching public and secret keys. 

2. E, the key encryption algorithm, is a PPT algorithm that takes as input public key 
pk and outputs a key/ciphertext pair ( K*,C *). 

3. D, the decryption algorithm, is a deterministic polynomial time algorithm that takes 
as input secret key sk and ciphertext C*, and outputs key K* or _L (_L means that 
the ciphertext is invalid). 

We require that for all (pk, sk) output by key generation algorithm K and for all 
( K*,C *) output by key encryption algorithm E (pk), D (sk, C*) = K* holds. Here, the 
length of the key, \K* |, is specified by l(k), where k is the security parameter. 

Let A be an adversary. The attack game is defined in terms of an interactive com- 
putation between adversary A and its challenger, C. The challenger C responds to the 
oracle queries made by A. We now describe the attack game (IND-CCA2 game) used 
to define security against adaptive chosen ciphertext attacks (IND-CCA2). 

1. The challenger C generates a pair of keys, (pk, sk) -3- K(l fc ) and gives pk to ad- 
versary A. 

2. Repeat the following procedure qi(k) times, for i = 1, . . . , qi(k), where q\ (•) is a 
polynomial. A submits string C* to a decryption oracle, DO (in C), and DO returns 
D s fc(Cj) to A. 

3. A submits the encryption query to C. The encryption oracle, EO, in C selects b* 

{0, 1} and computes (C*,K*) <— E (pk) and returns (C*,K*) to A if b* = 0 and 
(C*,R*) if b* = 1, where R* {0, 1}I K *I (C* is called “target ciphertext”). 

4. Repeat the following procedure q 2 (k) times, for j = gi(fe) + 1, . . . , qi(k) + q-fk), 
where q 2 (■) is a polynomial. A submits string Cj to a decryption oracle, DO (in C), 
subject only to the restriction that a submitted text Cj is not identical to C* . DO 
returns D s k(Cj) to A. 

5. A outputs b e {0, 1}. 
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We define the IND-CCA 2 advantage of A, Ad vKEM™ D " CCA2 ( k) | Pr[6 = b *] - 

1/2 1 in the above attack game. 

We say that a KEM scheme is IND-CCA 2 -secure (secure against adaptive chosen 
ciphertext attacks) if for any probabilistic polynomial-time (PPT) adversary A, 
AdvKEM^J ID ' CCA2 (fe) is negligible in k. 

3 The Proposed AKE Protocol 

3.1 Protocol 

Let fee N be a security parameter, G ^ {G}*, be a group with security parameter 
k, and {g\. g 2 ) «— G 1 2 3 , where the order of G is prime p and |p| = k. Let H be a TCR 
hash function family, and F, F and F be PRF families. (G, <j\ . g 2 ), H, F, F and F are the 
system parameters common among all users of the proposed AKE protocol (although 
F and F can be set privately by each party) We assume that the systems parameters are 
selected by a trusted third party. 

Party A’s static private key is (ai, a 2 , <23. a 4) <— (Z p ) 4 and _ 4 ’s static public key 
is A\ «— g* 1 r/,“ 2 , A2 <— g'^g ? 4 ■ Ha KHfc indexes a TCR hash function Ha <— 
H hA H ’ nH ’ w ^ ere 'Em <— fife x G 4 , IZh *— Z p and H k denotes the space of possible 
certificates for static public keys. 

Similarly, Party £>’s static private key is (bi , b 2 , 63 , 64) <— (Z p ) 4 and £>’s static public 
key is Bi <— g bl g 2 2 , B 2 <— g b \g b 2 - h B KH fc indexes a TCR hash function H B <— 

A and B set PRFs F <- F <- F fc 'W>% and F ^ &&&&, 

where E F «— G, V F *— {n k f x G 8 , H F <- { 0 , l} k , Ep (Z p ) 4 , T> P <- { 0 , l} k . 
Tip <- Z p , E P <- { 0 , l} k , Vp <- (Zp) 4 , and 7 ^ <- Z p . 

To estabhsh a session key with party B, party A performs the following procedure. 

1 . Select an ephemeral private key x { 0 , l} k . 

2 . Compute x <— F%(a\ . a 2 , <23, (14) + ^(01,02,03,04) (®) mod p and the ephemeral 
public key (Xi 4- gf , X 2 *- g 2 ). 

3. Erase x. 

4 . Send (B, A, X \ , X 2 ) to B. 

Upon receiving ( B , A, Xi ,X 2 ), party B verifies that (Xi,X 2 ) £ G 2 . If so, perform 
the following procedure. 

1 . Select an ephemeral private key y { 0 , l} k . 

2 . Compute y <— F^(bi,b 2 , 63 , 64) + Fp n f)2 l>3 bi ) (y) mod p and the ephemeral public 
key ( Yl ^glY 2 ^g f). 

3. Erase y. 

4 . Send (A,B,X 1 ,X 2 ,Y 1 ,Y 2 ) to A. 
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A 

B 

(ai, a 2 ,a 3 ,af) ^ (Z p ) 4 

M <^g^g 2 2 ,A 2 ^g“ 3 g%\ 

Ha 

( 6 r, 62, 63, 64) ^ (Z P ) 4 
Bi^g h l 1 g h 2 fB 2 ^g b fg h 2 f 

h B 

x ^ {0, l} k 
x <— F$(ai,a 2 , 03, af) 

+■^'(01,03,03,04) (x) modp 
Xi t— gf , X 2 <— g% 

(b,A,x !,x 2 ) 

(X U X 2 ) gG 2 ? 

V £ {0, l} fc 
y <- Fy^MMM) 

W(bxte,b 3 M){y) rnodp 
(A,b,x i,x 2 ,yi,F 2 ) 913Y2*— g 2 

(Yi,Y 2 ) gG 2 ? 
c H A (A,Y l7 Y 2 ) 
H b (B,X 1 ,X 2 ) 

a yai+ca 3 +xy02+c04+a:. 

BfBj* 

K ^ TV (sid) 

c <— H a (A, Yl, Y 2 ) 
H b {B,X 1 ,X 2 ) 

j£-bi+di>3+t/j£-b2+di)4+V. 

a\a? 

K 4- TV(sid) 

Here, sid (A, B , X t , X 2 ,Y lt Y 2 ) 

indirectly through the certificates. 

. Note that (Ai,A 2 , B \ , B 2 ) g G 4 is confirmed 


Fig. 1. The Proposed AKE 


Upon receiving (A, B, Xi,X 2 , Yj., Y 2 ), party A checks if he sent (B. A, Xi, X 2 ) to 
B. If so, A verifies that (Yj,, Y 2 ) 6 G 2 . 

To compute the session key, A computes a a *— Yf 1+ca:i+x Yf 2+cai+x Bf B 2 X , and 
B computes a B «- X? 1 +db:s +v x!f +dbi+y A\ Af ? , where c i- H a {A, Y l ,Y 2 ) and d <- 
Hb{B,X\,X 2 ). If they are correctly computed, a <— o A (= os). The session key is 
K <— TV (sid), where sid <- (A,B,X 1 ,X 2 ,Y 1 ,Y 2 ). 

3.2 Security 

Theorem 1. The proposed AKE protocol is secure (in the sense of Definition^ if the 
DDH assumption holds for {G}fcgN» H is a TCR hash function family, and F, F and F 
are PRF families. 

The proof will be given in the full paper version of this paper. 
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4 The Proposed KEM Scheme 

4.1 Scheme 

In this section, we show a CCA secure KEM scheme. 

Let k e N be a security parameter, and let G {G}*, be a group with security 
parameter k, where the order of G is prime p and |p| = k. 

Let H be a TCR hash function family, and F be a PRF family. 

Secret Key: The secret key is sk <— (x \ , x-i , y-\ . y 2) Z^. 

Public Key: g\ G, <72 ^ G, z g^g^ 2 , w <— g^g^ 2 , H <— h^’ t>h ’ 71h and 
F <— w here h ^ KH fc , V H <— {pk} x G 2 (pk is a possible public- 

key value), TZh <— Z p , <— G, V F <— {pk} x G 2 and TZf <— {0, l} fc . 

The public key is pk <— (G, gi, g-i- z, w, H, F). 

Encryption: Choose r «— Z p and compute 

Ci - g r lt 

C 2 - g r 2, 

H{z,W,Cx,C2) 

(7 •*— Z r W rd 

K ^ F a {pk,C 1 ,C 2 ). 

(Ci, C2) is a ciphertext, and K is the secret key to be shared. 

Decryption: Given (z, w, C \ , C2), check whether 

(z,w,Ci,C2) £ G 4 . 

If it holds, computes 

d<-H(e,w,Ci,C») 
o «- cl 1+dyi C2 2+dy2 
K <— F a {pk, Ci, C 2 ). 

4.2 CCA Security 

Theorem 2. 77ze proposed KEM scheme is IND-CCA2 secure if the DDH assumption 
holds for {GjfcgN, H is a TCR hash function family, and F is a PRF family. 

The proof will be given in the full paper version of this paper. 

4.3 CPCA Security 

In this paper, we define a stronger security notion than the CCA security on KEM and 
PKE. 
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Here, we consider a trapdoor commitment, where committer (sender) S commits to 
x by sending C *— E p f..(x) to receiver TZ, then S opens x by sending sk to 1Z, where 
(pk, sk) is a pair of public key and secret key, and x = D^fC). Using a trapdoor 
commitment, several committers, <Si, . . ., S n , commits to x \, . . . , x n respectively by 
sending C\ <— E p k{xi), . . ., C n <— E p k(x n ) to receiver TZ. Another party can open 
them simultaneously by sending sk to receiver TZ. A possible malleable attack is as 
follows: after looking at pk and C <— E p k (x) sent to receiver TZ, adversary A computes 
pk', C', algorithm Conv and non-trivial relation Rel. A registers pk' and sends C' to 
TZ as a commitment to x' such that Rel(x, x'). When sk is opened, A computes sk' <— 
Conv(sA') and sends sk' to TZ such that x’ = D s k'(C). 

To capture the security against such malleable attacks, we now define the CPCA 
(Chosen Public-key and Ciphertext Attacks) security for KEM schemes. 

Let E = (K, E, D) be a KEM scheme. Let C* , pk* and sk* be the target ciphertext, 
public key and secret key of KEM scheme E. In the CPCA security, an adversary A, 
given pk* and C* , is allowed to submit a pair of a public key pk and a ciphertext C 
along with a polynomial-time algorithm Conv to the decryption oracle DO (with sk*) 
under the condition that (pk, C ) Y (pk* ,C*). DO returns D. 5fc (C') to A, where DO 
computes and confirms that sk <— Con \/(sk*,pk*), (c, k) <— E p fc(l fc ) and k <— D s /-(c). 
(Here, D s fc is equivalent to D s /-. except for the difference of sk and sk*). 

We can define the advantage of A for the IND-CPCA game, AdvKEM™ D ' CPCA (fc). 
We say that a KEM scheme is IND-CPCA-secure if for any probabilistic polynomial- 
time (PPT) adversary A, AdvKEM™ D ' CPCA (fc) is negligible in k. 

We now show that the proposed KEM scheme is CPCA secure. To prove the security, 
we need a new requirement for a hash function family, the generalized TCR (GTCR) 
hash function family. 

Let k € N be a security parameter. Let G be a group with security parameter k, 
where the order of G is prime p and \p\ = k, and {G}fc be the set of group G with 
security parameter k. 

Let H be a TCR hash function family associated with Dom^ <— {G 4 }^, Rng fe *— 
{G}fc. 

For all k, we define 

AdvGTCR^(fc) - Pr[p 3 € G 2 A p * + ((^) u , (p* 2 ) v , p 3 ) A 
H^’V) = (v/u) ■ rf; Gi ' G ((plY,(piy,p 3 ) mod p | 

where G {G}fc, p* <— (p*, p\, p%) G x G x G 2 and h KH/.. 

TCR hash function family H is a generalized target collision resistant (GTCR) hash 
function family associated with { G } if for any probabilistic polynomial-time adver- 
sary A, AdvGTCRH^(fc) is negligible in k. 

Theorem 3. The proposed KEM scheme is IND-CPCA secure, if the DDH assumption 
holds for {Gjkgpj, H is a GTCR hash function family, and F is a PRF family. 

The proof will be given in the full paper version of this paper. 
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Abstract. We present a minimalist public- key cryptosystem, as com- 
pact as ElGamal, but with adaptive chosen-ciphertext security under 
the gap Diffie-Hellman assumption in the random oracle model. The 
novelty is a dual-hash device that provides tight redundancy-free im- 
plicit validation. Compared to previous constructions, ours features a 
tight security reduction, both in efficacy and efficiency , to a classic and 
essentially non-interactive complexity assumption, and without resort- 
ing to asymmetric/symmetric- key hybrid constructions. The system is 
very compact: on elliptic curves with 80-bit security, a 160-bit plaintext 
becomes a 320- bit ciphertext. It is also very simple and has a number of 
practical advantages, and we hope to see it adopted widely. 

1 Introduction and Motivation 

One of the major pursuits in cryptographic research has been to devise faster, 
nimbler, shorter, and stronger encryption systems that can be used in practice. 
In the realm of public-key cryptosystems, the lure of simplicity and efficiency 
has produced many a breakthrough and many more successive refinements, over 
the last three decades. 

We propose one more such technical refinement, in the form of a CCA2- 
secure PK cryptosystem with the shortest ciphertext among Discrete-Log-based 
systems at any given exact security level. Our construction is simple and purely 
algebraic, and relies on a standard assumption in the random-oracle model of [2] . 
To obtain short ciphertexts, we eliminate all sources of redundancy, and limit 
the unavoidable randomness to a single element of the computational group. 
Furthermore, we ensure that no space is wasted in the encoding of that element, 
by shrinking the computational group itself to the smallest size that the birthday 
paradox will allow. The latter requirement is only possible with a tight reduction 
to the underlying security assumption, as we shall discuss momentarily. These 
properties taken together account for the scheme’s compactness. 

All comparable schemes that have been suggested over the years either have 
a non-tight security reduction, or are hybrid constructions with both an alge- 
braic and a symmetric-key component, each bringing forth its own complexity 
assumption. (We note that all known redundancy-free systems depend either on 
some non-standard oracle assumption, or at least on the random-oracle model. 
Indeed, it remains a major open problem to withstand active attacks without 
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redundancy and without relying on random oracles or some sort of interactive 
assumption). 

By contrast, the scheme we propose can be proven tightly secure, in the 
random-oracle model, solely under the Gap Diffie-Hellman (Gap-DH) assump- 
tion or even under the usual Computational Diffie-Hellman (CDH) assump- 
tion if the algebraic group admits an efficient bilinear pairing: This is because 
with a pairing one can instantiate the DDH oracle posited by the Gap-DH as- 
sumption, which then reduces to plain CDH. Pairing- friendly groups are easy to 
construct on certain types of elliptic curves; we refer the reader to the abundant 
literature on pairing-based cryptography. We emphasize that our scheme will be 
secure under CDH as soon as a pairing exists in the selected group, even though 
we never actually use it. In groups where no efficient pairing is known to exist, 
security still follows from the Gap-DH assumption. 

1.1 On the Tightness of Reductions 

The importance of a tight security reduction to a simple and well-studied as- 
sumption is crucial to the determination of the exact security of any cryptosys- 
tem. A security proof can be loose in two different ways: the final reduction may 
cause a loss of success probability, or the simulator can be slow and steal most 
of the computational time that should go to the attacker. The latter factor is 
too often ignored when a security proof is advertised as tight: it is often the case 
that a proof with tight efficacy probability-wise, would use an inefficient simu- 
lator whose running time is quadratic or worse, which can significantly hurt the 
security of the scheme in a real-world attack: the true security guarantee would 
not be tight if one accounted for all parameters, as one should. Accordingly, it is 
only by taking into account all intervening factors that a scheme’s true security 
can be determined for a chosen apparent security parameter. Larger apparent 
security parameters will have to be selected to compensate for loose reductions 
(or strong assumptions), resulting in larger ciphertexts for the desired target 
security level. 

In the random oracle model in particular, it is very important to pay close atten- 
tion to the extent that a scheme’s exact security deteriorates with the number of 
random oracle queries made by the adversary, because in reality the random oracle 
is instantiated as an algorithmic hash function that can be queried offline, limited 
only by the adversary’s computational powers. Interactive assumptions that as- 
sume the existence of “fancy oracles” that have no actual instantiations (even im- 
perfect ones) are even more troublesome, because there is no telling how a scheme 
that depends on such an oracle will fare in the real world: it might be completely 
insecure and it is not hard to find examples of such. Sensitivity to the number of 
decryption queries is less critical because in practice the decryption query rate is 
limited by various online processes, but it nevertheless remains an issue. 

1.2 Our Contribution 

For all of the reasons above, it is our purpose here to devise a compact encryp- 
tion scheme based on plausible assumptions, and establish exact security bounds 
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in function of the number of random-oracle and decryption queries made by the 
opponent. We seek to obtain a tight security bound that is quasi- independent 
of the number of those queries (as long as their number remains sub-exponential 
in the security parameter, which is an unavoidable requirement). Surely, elimi- 
nating the random oracle itself would be even more desirable, but it is an open 
problem whether that is even feasible at all if no redundancy whatsoever is 
tolerated. 

Our main technical tool stems from the observation that a pair of sequen- 
tial one-time pads, can, in the random-oracle model, give us an almost tight 
reduction from a mild assumption such as CDH or Gap-DH, without appealing 
to explicit ciphertext redundancy or a hybrid scheme. Whereas redundancy-free 
public- key schemes with a tight reduction have been proposed in the past, we 
view the dual-hash device and the simpler structure that it enables as our main 
contributions. As an added bonus, our system will support very efficient non- 
interactive threshold decryption. 

2 Toward Active Security Without Redundancy 

The most common threat to CCA2 security is that of a query on a malformed 
ciphertext causing the decryption oracle to leak damaging information, either 
about the private key, or about the plaintext (when the malformed ciphertext 
is a deformation of a legitimate one). For this reason, the most common way to 
construct a CCA-secure system from a CPA-secure one is to add some redun- 
dancy, thanks to which malformed or mauled ciphertexts can be safely rejected. 
Redundancy has also an utilitarian purpose in the security proofs: simulators 
use it to extract private knowledge about the ciphertext creation, which gives 
them a backdoor thanks to which decryption queries can be answered with- 
out knowledge of the decryption key. The two main ways that this backdoor is 
implemented are the NIZK and IBE approaches, briefly described below. 

Redundancy can nevertheless be avoided provided that the decryption of mal- 
formed ciphertexts is made harmless, e.g., as will be the case if the decryption 
of bogus ciphertexts appears uniformly random to the adversary. Thus, as has 
been observed several times before, redundancy is not truly necessary in order 
to achieve chosen-ciphertext security (though randomness is always needed for 
semantic security). Technically, one must also ensure that the simulator is still 
able to answer the decryption queries in the absence of a redundancy backdoor: 
this is where idealized models such as the random oracle heuristic j2| must come 
into play, at least in our current state of knowledge. 

Subject to the above limitations, there exists a rather extensive body of work 
on public- key encryption systems secure against active attacks. We now review 
the main proposals, concentrating on systems that are usable in practice. In order 
to depict a more complete landscape, we also discuss a number of redundant 
constructions, since they far outnumber the redundancy-free ones. Once again, 
if we insist on the lack of redundancy, no CCA2-secure public-key systems, not 
even conjectured ones, are known to exist in the standard model. 
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2.1 In the Standard Model 

In the standard model, all known chosen-ciphertext-secure systems require some 
redundancy. 

First of all, we mention the early theoretical work of Dolev, Dwork, and Naor 
which achieves CCA-security using a bitwise construction which is too inef- 
ficient to be used in practice. More efficient constructions were to follow, based 
either on the so-called two-key paradigm, or, more recently, on identity-based 
encryption and related techniques. 

The two-key (or double-encryption) framework for chosen-ciphertext security 
was first proposed by Naor and Yung EU, and perfected by Cramer and Shoup 
na who gave the first efficient CCA2-secure public-key scheme in the standard 
model. There were many subsequent improvements to the Cramer-Shoup sys- 
tem, and the current state of the art is due to Kurosawa and Desmedt j20| • The 
two-key paradigm consists in providing two independent encryptions of the same 
plaintext, along with a Non-Interactive Zero-Knowledge (NIZK) proof that the 
two plaintexts are the same. This provides the needed redundancy that allows 
the simulator to answer decryption queries. A drawback of this approach is that 
the redundancy cannot be checked until the complete ciphertext has been de- 
crypted, which makes threshold decryption a complicated proposition 9 19l44j . 

The Identity-Based Encryption (IBE) approach was recently proposed by 
Canetti, Halevi, and Katz PQ3J, and subsequently improved 00. Here, the gen- 
eral idea is to encrypt a plaintext to an identity equal to a signature verification 
key, or some function of the ciphertext itself, that the recipient can use to au- 
thenticate the ciphertext. This is a different kind of redundancy that leads to a 
completely different type of simulation proof than in the two-key approach. Both 
methods are comparable in terms of efficiency. One advantage of the identity- 
based approach is that the integrity check can be done before decryption, which 
makes non-interactive threshold decryption easy |S|. The main disadvantage of 
the IBE approach is that it uses bilinear pairings, although it is possible to 
eliminate them entirely by making stronger assumptions 123- 

Although reasonably efficient, all these constructions require at least two 
group elements’ worth of ciphertext overhead. It is an open problem to achieve 
chosen-ciphertext security without redundancy in the standard model. 

2.2 Using Random Oracles 

In parallel to the above developments, researchers have sought to construct 
CCA2-secure systems with efficiency as the primary goal, even if that meant 
using the random oracle heuristic. One of the most significant works in this area 
is the RSA-OAEP padding scheme jH| and its subsequent improvements j'll.'i.'ij . 
which are widely deployed as a standard. However, the development of OAEP 
was tormented: the original redundancy-free design had to be scrapped in order 
to achieve provable chosen-ciphertext security, and it took several years until an 
RSA system with both properties was finally invented (see below). 

In parallel, a powerful result by Fujisaki and Okamoto H3. subsequently im- 
proved by the same authors m , shows that any CPA-secure encryption scheme 
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can be generically transformed into a CCA2-secure one, in the random oracle 
model, simply by adding some judicious redundancy. One can thus assemble a 
very efficient CCA2-secure system simply by taking an elliptic-curve implemen- 
tation of the ElGamal cryptosytem and applying the Fujisaki-Okamoto trans- 
formation. This does however introduce some redundancy. 

2.3 From Interactive Hash Assumptions 

Since random oracles alone did not seem sufficient to obtain redundancy-free 
chosen-ciphertext security, one had to appeal to more exotic and stronger as- 
sumptions. In general, these assumptions are interactive and involve at least a 
random function, very much like the random oracle model. 

The first system to achieve redundancy-free chosen-ciphertext security, is that 
of Phan and Pointcheval m- The Phan-Pointcheval scheme can be thought of 
as an extension of RSA-OAEP that achieves adaptive security using the theo- 
retical minimum amount of randomness and no redundancy, but under a strong 
non-standard interactive assumption. Roughly speaking, it combines a trapdoor 
permutation with an idealized random permutation; the CCA2 security proof 
then holds in the random permutation model. In practice, the system is instan- 
tiated using RSA and a Feistel network, which only requires a random oracle 
rather than a random permutation. 

The second system in this category is DHIES P, all of whose variants are 
based on a strong interactive assumption known as Oracle Diffie-Hellman. The 
DHIES system is a hybrid of ElGamal, a symmetric cipher, and a MAC, and is 
provably secure under the ODH assumption. Because of the MAC, the original 
DHIES system is not redundancy-free. 

Kurosawa and Matsuo bh subsequently gave an improvement to DHIES that 
eliminated the MAC from the ciphertext and thus the redundancy. This was done 
by means of a special “all-or-nothing” mode of operation for the symmetric ci- 
pher, such as CMC (2D1 and EME j23], which can be viewed as an analog to the 
pseudo-random permutation in the Phan-Pointcheval system. With this modifi- 
cation, DHIES no longer incurs any expansion, and thus the Kurosawa-Matsuo 
system is indeed free of redundancy. Since furthermore DHIES can be imple- 
mented on elliptic curves, unlike Phan-Pointcheval which uses integer arithmetic 
modulo a large RSA composite, Kurosawa-Matsuo can be made very compact. 
Indeed, their system currently holds the record for the most compact CCA2 
public-key system for short messages. 

Libert and Quisquater BE! later transposed the ideas of Kurosawa and Mat- 
suo to the identity-based encryption setting, and in particular to the IBE sys- 
tem of Boneh and Franklin P . They show that CCA2 security can be obtained 
by using an expansion-less chosen-ciphertext-secure symmetric mode of opera- 
tion (instead of the Fujisaki-Okamoto transformation as originally used in j^j). 
The Libert-Quisquater IBE system is in fact simpler than the Kurosawa-Matsuo 
PKE, but unfortunately, the security of the former rests (in the RO model) upon 
a very strong interactive assumption called Gap Bilinear Diffie-Hellman, which 
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is not even falsifiable in our current state of knowledge since nobody knows how 
to construct a Gap-BDH challenger. 

To conclude this tour, we now briefly review the main features of the Phan- 
Pointcheval and the Kurosawa-Matsuo systems, as these are the two schemes 
against our construction ought to be compared. 

The Phan-Pointcheval System. Phan and Pointcheval m gave the first con- 
struction of a CCA2-secure public-key encryption system without redundancy. 
It is based on the RSA trapdoor permutation which is made non-malleable 
using a idealized random permutation instantiated as a Feistel network. The 
Phan-Pointcheval system incurs very little ciphertext expansion: for an apparent 
security parameter k , the ciphertext is only k bits longer than the message it en- 
crypts. Without taking the security reduction efficiency into account, this is the 
smallest possible ciphertext expansion that can be achieved by any public-key 
encryption scheme at the 2~ K security level. 

In reality, Phan-Pointcheval is not quite as compact as we would like, for a 
couple of reasons: (1) its security reduction has tight efficacy but only quadratic 
efficiency in the Feistel network instantiation, which means that in practice its 
exact security could degrade significantly with the number of queries made by 
the adversary, which ought to be compensated by growing the modulus; (2) 
because the scheme is built around an RSA permutation, ciphertexts cannot 
be made smaller than 1024 bits at the 2 -80 security level, or 15360 bits at the 
2“ 256 security level, to guard against sub-exponential factorization attacks of 
complexity L( 1/3) using the number field sieve. 

The Kurosawa-Matsuo System. To avoid the minimum size limitation as- 
sociated with RSA groups, Kurosawa and Matsuo have proposed a differ- 
ent construction of a CCA2-secure public-key cryptosystem, based not on RSA 
but on ElGamal. Since ElGamal can be implemented on elliptic curves, much 
fewer bits are in principle needed in order to achieve the same security. The 
Kurosawa-Matsuo construction is set in the KEM/DEM framework, where a 
CCA2-secure KEM is constructed simply by hashing an ElGamal session key, 
from which an expansion-less one-time chosen-ciphertext-secure DEM is used to 
encrypt the actual message. For an apparent security parameter k, the ciphertext 
is 2 k bits longer than the message, which is the smallest possible expansion for a 
Discrete-Log-based cryptosystem, due to the birthday bound barrier associated 
with generic discrete-log attacks. 

On the negative side, the security reduction of the Kurosawa-Matsuo system 
relies on the original DHIES construction, which is based on a very strong inter- 
active assumption called the Oracle DifRe-Hellman assumption. Roughly speak- 
ing, the ODH problem asks us to distinguish {g,g a ,g b ,g ab ) from (g. g a , g b . g r ) 
given access to an oracle O : h H(h a ), which can be thought of as the compo- 
sition of the composition of a secret-power exponentiation with an ideal random 
hash function (also kept secret by default). We note however that Cramer and 
Shoup d later gave an alternative security proof of DHIES, replacing ODH 
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with Gap-DH in the random oracle model. Their proof should also apply to the 
Kurosawa-Matsuo system. 

Perhaps the main downside of the Kurosawa-Matsuo system is that it de- 
pends on rather complex modes of operation for block ciphers, such as the de- 
terministic, redundancy-free, one-time chosen-ciphertext-secure modes given in 
[ 2(1121 j . Because of those extraneous components, the Kurosawa-Matsuo system 
may suffer from a larger implementation footprint than competing schemes. The 
complex modes of operation may also pose practical challenges for arbitrary-size 
plaintexts. 

2.4 The New Construction 

Here, we propose another efficient public-key encryption system without redun- 
dancy and with a tight adaptive chosen-ciphertext security proof. A feature 
of our scheme is its simple and self-contained algebraic structure. The secu- 
rity reduction is to the Gap Diffie-Hellman assumption in the random-oracle 
model. Gap-DH is a “decisional/computational gap” assumption iza, which 
simply posits that CDH is hard given a DDH oracle. Since Gap-DH itself re- 
duces to the usual CDH in groups equipped with a bilinear map (which we know 
how to construct), our scheme belongs with the “plain” random-oracle schemes 
of Section 12.21 as opposed to the “fancy” interactive-assumption schemes of 
Section 12. .21 which until now were the only ones known to avoid redundancy. 
Practically speaking, our system only uses hashing and generic group arithmetic 
(no block cipher and no complex mode of operation), and so its implementation 
should be straightforward in any programming language with a decent library. 

The main idea of the scheme is to blind the message not once, but twice, us- 
ing ElGamal one-time pads that are homomorphically related to the same secret 
decryption key. The resulting ciphertext has no explicit redundancy because the 
second key can be reconstructed from the first without having to include any 
information about it. In the random oracle model, this however gives us the im- 
plicit consistency check needed for chosen-ciphertext security. Furthermore we 
can simulate it in constant time and almost perfectly (i.e., with negligible secu- 
rity loss) against any polynomially bounded adversary, hence the tight security. 

Security and Compacity. It should be mentioned that it does not seem feasi- 
ble to achieve a better “ciphertext compacity vs. exact security” tradeoff without 
leaving the realm of Discrete-Log-based algebraic CCA2 PKE systems. Indeed, 
at the 2~ K exact security level, the ciphertext overhead is a single group element, 
which takes as few as 2k bits to represent; however, the randomness embedded 
in this element cannot be removed, and any attempt to reduce the entropy of 
that group element further will enable a generic discrete logarithm attack of 
relative complexity lower than V2 2k = 2 K . 

However, one should not infer from this that shorter ciphertexts are not pos- 
sible using different techniques. For example, with trapdoor permutations it is 
possible to reduce the overhead to the theoretical minimum of k bits, as in the 
Phan-Pointcheval system; one problem with this approach is that RSA-based 
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trapdoor permutations require much larger groups than elliptic curves for the 
same security (which is why Phan-Pointcheval ciphertexts remain large despite 
the very low overhead). Substituting a more compact trapdoor permutation for 
RSA in Phan-Pointcheval would be an excellent way to create a more compact 
scheme than the present proposal. Of course, constructing a compact trapdoor 
permutation in the first place, e.g., whose inputs and outpus are no greater than 
3 k bits at the 2 -K security level, is another long-standing famous open problem 
in cryptography. 

State of the Art. We do not claim that our construction constitutes a deep 
result, but merely a practical one that we hope will be adopted in practice. In 
retrospect, our construction and its security proof appear quite simple, indeed, 
as surely many other results of this sort have before it. However, the fact that 
with a simple trick we have improved upon the state of the art on an old problem 
is a compelling indication that there are still new insights to be gained in this 
area. Thus we hope that this contribution will be useful to security practitioners, 
and perhaps inspire new ideas to researchers in the field. 

3 The Miniature CCA2 System 

We are now almost ready to present the construction. Unlike Kurosawa and 
Matsuo, we seek to build an integrated encryption scheme without insisting on 
a separation between KEM and DEM. On the contrary, we look for an algebraic 
construction that avoids block ciphers and their complex modes of operations, 
and seek to base our scheme on a single mild and well-studied assumption. 

3.1 Inching Toward a Solution 

Before we present our construction, it is useful to try out a few approaches, to 
see what works and what does not. This will make it easier to understand the 
design of the final scheme. 

1. To start, consider the hashed ElGamal system, whose ciphertext is (ci, C2) = 
(M ® H(g\), g 2 ) for random r € F p . The public key is (51,52) € G 2 , and 
the decryption key is k = d!og fll (52). The ciphertext is free of redundancy, 
but it is malleable and thus the scheme is only secure under passive attacks. 

2. To make the scheme secure under active attacks, we can modify the cipher- 
text as follows: (01,02) = (M ® Hi (g[). g\g^ i ' 2 ^ ei '), where H\ is viewed as 
a random oracle and H2 is collision resistant. The public key is (51,52,53) 
and the secret key their discrete logs. 

Here, there is no obvious active attack, and in fact the scheme can be 
proven IND-CCA2 secure under the Gap-DH assumption in the random 
oracle model. Unfortunately, the reduction is not tight, and is in fact rather 
expensive because, for each decryption query, the DDH oracle must be tested 
against the inputs to all previous random-oracle queries. 
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3 . The reduction in the previous scheme can be made more efficient, and thus 
the scheme more secure in the exact sense, by including more information in- 
side the random-oracle input, as in: (01,02) = ( M © H- l (g r l . g'! 2 ). r/J g?> 

We can also take 53 = gi to make the key shorter. 

This simple modification greatly reduces the number of DDH oracle 
queries needed by the simulator (in a security reduction to Gap-DH), to 
the point that we now have proportionality between the adversary’s and 
the simulator’s use of their respective oracles, i.e., one query to the DDH 
oracle for each random-oracle query. The resulting reduction is thus more 
efficient, and, indeed, public-key systems with this exact structure have been 
recently and independently suggested in at least two places j29!25j , prior to 
the publication of this work. 

However, security still is not tight. For every decryption query, the sim- 
ulator must perform a non-trivial group operation between C2 and the input 
to every random oracle query made so far. Thus, if the adversary makes 
qa decryption and Qh random-oracle queries, the simulator’s running time 
will be at least the product of the two, i.e., 1? (qdQH), which is clearly dis- 
proportionate (i.e., super-linear) to the sum total of all of the adversary’s 
queries. 

Hence, although the efficacy or succcess probability of the reduction may 
be tight, and the use of the DDH oracle parsimonious, the reduction algo- 
rithm remains inefficient due to an excess of bookeeping. 

A general principle that emerges from these examples is how random oracles 
can be utilized to extract the information needed to answer decryption queries, 
when the ciphertext contains no redundancy that would let us do so in another 
way (as in the schemes mentioned in Section 12.1 1) . 

We can also see, in all these examples and analogous constructions based on 
a Gap assumption, that the simulator must try out all random oracle inputs to 
see if one works for every decryption query that it answers. This is not unrelated 
to the fact that our assumption (Gap-DH) only provides a decisional (yes/no) 
oracle to the simulator, and indeed, the Kurosawa-Matsuo scheme does not have 
this problem because its DHIES component relies on a stronger assumption. 

However, the central reason for the schemes’ reduction inefficiency is their use 
of a single random oracle for blinding the message (as in M®H(...)). It turns out 
that a much more efficient simulator can be made if we had two random-oracle 
one-time pads to play with (as in M © H%(...) © H 2 (...)). Why this is so will 
become apparent when we construct a simulator in Section 13.41 

3.2 The Full Scheme 

Our construction is based on some of the principles hinted to above. The main 
difficulty is to obtain a double one-time-pad blinding of the message without 
lengthening the ciphertext, and then to use this double blinding in the security 
proof to achieve a tight reduction. 

We start with the construction, which uses two random oracles $ and l P, and 
one collision-resistant function n which could be a simple injection. 
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Context: Let k e N be an arbitrary security parameter. Let G = (U) be a cyclic 
prime-order group (written multiplicatively), generated by U, of prime order 
p , such that 2 2k ~ 1 < p < 2 2k+1 . Let ¥ p be the finite field of size p, and let 
F* = F p \ {0} denote its multiplicative group of order p- 1 . Let M = {0, l} 1 
be the set of all bit strings of length £, for any fixed £ > 2 k. 

Let 7r : M. — > F* be an arbitrary injection or a collision-resistant hash 
function. 

Let : G x G — > M and 'E : G — » M be two cryptographic hash functions 
(viewed as RO). 

Key generation: Draw a secret random exponent s G$ F* , and calculate V = 
U s . 

The public encryption key is Pk <— (U, V) € G 2 . 

The private decryption key is Sk «— s £ F^ . 

Encryption: Given Pk and a plaintext Msg £ A4, pick a randomizer r g, F^, 
and let, 

B <- ¥{A) ® Msg 

C <r- V r K B ) 

D ^ UrMB) 

E <- «P(D, C) © B 

The ciphertext is Ctx = (D, E) G G x M. 

Decryption: Given Sk and a ciphertext Ctx = ( D,E ), check that 1 / 5 € G, 
and let, 

C *— D Sk 
B <— E (B $(D, C ) 

A e- 

M <r— B® &(A) 

The decrypted plaintext is Msg = M e M. 

3.3 Operational Efficiency 

Encryption and decryption have essentially the same computational costs, which 
are dominated by the costs of two exponentiations in G, plus (for long messages) 
two passes on a buffer whose size is that of the input string (resp. plaintext or 
ciphertext). In particular, we note the following: 

— Encryption requires only two exponentiations (and not three), because most 
of the work done to compute V r can be reused to compute TAM 3 ) , regard- 
less of the exponentiation algorithm used (whether straight double-and-add, 
or one of the many efficient window methods; c/., e.g., |31)|b 

— Decryption can similarly be performed in about a single exponentiation (in- 
stead of two), by computing as D 7r ^ B - ) ' Sk , which uses the same gener- 

ator as D Sk and thus shares the same intermediate powers. 
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— In both cases, only two passes on the buffer are needed (and not three): first 
on the input string Msg or E, and then a second pass on the intermediate 
string B or B which must be stored temporarily. We do not need a separate 
pass to compute it{B) or 7 t(B), since these values can be evaluated on-the-fly 
while computing B or B. However, this really matters only for long inputs, 
where the benefits of redundancy-free encryption are less pronounced. 

Any plaintext represented as a string of at least 2 n bits can be encrypted without 
requiring any special encoding, and without using any downstream symmetric- 
key cipher or other hybrid component. The ciphertext overhead is a single group 
element in G. 

3.4 Security Reduction 

We prove the security of our scheme in the well-known and very standard sense of 
IND-CCA2 security, or indistinguishability under an adaptive chosen-ciphertext 
attack. The reduction will proceeds from an instance of the Gap-DH problem, 
in the random oracle model. 

We recall that the Gap-DH problem is to solve the CDH problem given access 
to a DDH oracle. In a computational group G, such an instance is a triple 
(' U , V, W) = ( U , U v , U w ) € G 3 , and the task is to compute the value U vw G G, 
given repeated access to a decision oracle indicating whether an input tuple 
(A, B, C, D) G G 4 satisfies the relation dlog^(S) = dlog c (D). 

Theorem 1. The miniature public-key cryptosystem is IND-CCA2 secure in the 
random oracle model, provided that the Gap Diffie-Hellman assumption holds in 
G. The reduction is tight w.r.t. computational cost (“efficiency”) and success 
probability (“efficacy”) simultaneously. 

Proof. Suppose there is an adversary A that breaks the encryption scheme. We 
build from it an algorithm B that solves the Gap-DH problem by simulating an 
attack environment to such an adversary. During the course of the interaction, 
the simulator will record the answers it makes in response to all queries, and 
additionally maintain two separate “watch-lists” for T> and \P. 

Key generation. B is given access to a Decision Diffie-Hellman oracle WTl : 
G 4 — > {0, 1}; it receives a Diffie-Hellman instance (U, V, W ) = ( U , U v , U w ) G 
G 3 , and is to compute U vw G G. 

To start the simulation, B gives to A the public key Pk = (U,V), implic- 
itly letting Sk = v. 

Decryption queries. A makes adaptive decryption queries on any ciphertexts 
(.Dfc, Eif) G G x Af. 

To respond, B sifts the query logs for a random oracle query <h(Dj,Cj) 
such that Dj = D k and Cj = D/- Sk . To do this in constant time, B can 
maintain a hash-table of those oracle queries such that T>T>Tl(U, V, Dj,Cj) = 
1. Let thus ( Dj,Cj ) be the retrieved entry, if it exists. 

— If it does, let <pj = ${Dk, Cj) be the previously assigned value; the sim- 
ulator then computes B k •*— E k ® &j and A k Cj^ Bk \ and returns 
Mfc <— Bk ® T(A k ) as the plaintext. 
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— Otherwise, the simulator simply returns a random string Mk G* At, while 

privately adding the triple {Dy c . Ek, Mk) to the watch-list associated with 

<P, for future use given below. 

Hash-0 queries. A adaptively queries the random oracle 0 on unique input 
pairs ( Dj,Cj ) G G 2 . 

To respond, B picks a random string <J)j G$ At which it returns as answer 
to the query. Additionally, it tests whether WH(U, V, Dj, Cj) = 1, in which 
case it pulls from the watch list associated with 0 all the triples ( Dk , Ek, Mk) 
such that Dk = Dj. For all such triples, the simulator lets Bk «— Ek ® &j, 
computes Ak <— Cj 7Tl ' Bk \ defines V’fc *— Bk ® Mk, adds the pair (Ak,ipk) to 
the watch-list associated with 0, and deletes the triple from the list of 0. 

Observe that all Ek and thus all Ak are necessarily distinct, unless 7r 
collided, and that the work of the simulator is linear in the number of triples 
that were pulled from the watch- list. Later, we account for the small proba- 
bility of getting a collision Ak t = Ay, 2 for Dk x A Dk 2 . 

Hash-<F queries. A adaptively queries the random oracle X P on arbitrary unique 
inputs Ai G G. 

To respond, B first determines whether the watch-list associated with 
P contains a pair (Ak,^k) with Ay = A,;. If there exists such a pair, the 
simulator removes it from the watch-list and returns the string i^k", otherwise, 
it returns a fresh random string i pi G$ At. 

Challenge. A at some point outputs two messages Mi and M 2 on which it 
wishes to be challenged. 

To create the challenge, B picks a random string E* G t At, sets D* <— 
W from the Gap-DH instance, and declares the challenge ciphertext to be 
(D*,E*). It disregards Mi and M 2 . 

Additional queries. A makes more adaptive decryption and random oracle 
queries on arbitrary inputs (but no decryption query on the challenge ci- 
phertext), to which B responds as before. 

As it services the queries, the simulator is now on the lookout for a query 
$(D*,C*) such that D* = W and VVH{U, V. W, C*) = 1. As soon as A 
makes this query, B terminates the simulation and outputs C* = U vw as 
solution to the Gap-DH instance. 

Outcome. If the adversary never asks for the value of P(W. U vw ), its advan- 
tage must be zero, since then the simulation is perfect and the ciphertext 
is random. On the contrary, as soon as A makes this particular query, B 
obtains the solution it seeks without further interaction. 

We now analyze the parameters of the reduction. We consider both efficacy 

( i.e ., the probability of success) and efficiency (i.e., the computational overhead 

needed for a successful reduction). 

Reduction Efficacy. It is easy to see that B’s probability of solving Gap-DH 
is no less than A’s advantage in the IND-CCA2 attack, minus a negligible 
loss Ac that corresponds to the probability that the simulator made two 
conflicting random oracle assignments. A conflict can arise for \P(Ak) due 
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to a collision A kl = C'j l 7r ^ Efc i®^ 3 'i) = = A k 2 when Cj x ^ Cy 2 . 

Since the (t>j are jointly independent of the Cj and E k , and since every 
troublesome Cj can be traced to a watch-list entry that in turn originates 
from a unique decryption query, the probability of such a collision over q d 
decryption queries, which dictates the total efficacy loss of the system, is 
given by the birthday bound: 

Zle = e(A) - e(B) < ( q d f/p » (q d ) 2 2~ 2 * = negl(«) . 

Reduction Efficiency. To express £?’ s running time of in terms of M’s, let 
us assume that the adversary makes q d decryption and q& and q& hash 
queries, and that each exponentiation in G or WTi query costs the simulator 
one time unit. The simulation time overhead At is then given by At = 
t{B) — t(A) = &{q d + q<p + q&), from which we deduce that the running 
times of A and B are within a constant factor 1 (1 being the best possible 
ratio): 

t(B)/t(A) = 0(1) . 

It follows that the reduction is tight in all parameters, as long as the number of 
random oracle and decryption queries made by the adversary is sub-exponential 
in k, as required. 

3.5 Practical Extensions 

We briefly describe two simple extensions to the basic scheme, which we expect 
to be useful in certain applications. 

Adaptive Chosen- Ciphertext Security vs. Integrity. Most existing CCA2- 
secure cryptosystems to date, with or without random oracles, achieve security 
against active attacks by performing an integrity check during the decryption 
process, based on some amount of redundancy that is embedded in the ciphertext 
during encryption. Cryptosystems of this kind include Dolev-Dwork-Naor EE 
Cramer-Shoup jl 211 3) . Fujisaki-Okamoto 1 1 71 1 81 . Kurosawa-Desmedt |2S|, and 
Canetti-Halevi-Katz EE among many others. Most of the time the redundancy 
is secret, but it need not be. 

By contrast, our scheme does not authenticate the ciphertext; it is similar in 
that respect to a few other systems such as Phan-Pointcheval EE3 and Kurosawa- 
Matsuo m as already discussed. Indeed, without redundancy there cannot be 
a test to reject malformed ciphertexts, and thus the decryption process always 
succeeds. Hence there is no such thing as an “incorrect” ciphertext. (We remark, 
however, that because the IND-CCA2 security property implies PA-CCA2, or 
plaintext awareness, any ciphertext that was not created using the proper pro- 
cedure will safely decrypt to an unpredictable and useless plaintext). 

In some applications, it may be desirable to detect that a ciphertext has 
been tampered with. One solution is of course to use a “traditional” efficient 
CCA2-secure scheme, such as Fujisaki-Okamoto in the random oracle model or 
Kurosawa-Desmedt in the standard model. Another solution is to add a small 
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amount of redundancy in the plaintext of our scheme, such as a few zeros. This 
approach might be more desirable in cases where a quick and inexpensive in- 
tegrity test is desired but not required for the security of the larger system: in 
this case adding a few zeros to the plaintext of our scheme will be the cheapest 
and most effective solution. 

Non-interactive Distributed Threshold Decryption. Recall that in a 
threshold public-key system, a number of distributed “partial decryption cen- 
ters” compute partial decryptions from the ciphertext, or shares, which are then 
combined in a threshold manner by a single combiner to produce the final plain- 
text; c/., e.g., JH|. 

As mentioned earlier, CCA2-secure threshold cryptosystems are difficult to 
deploy based on the two-key paradigm, and also using the random-oracle-based 
Fujisaki-Okamoto transformation, because the decryption process will require 
the partial decryptors to communicate with each other in order to decide whether 
a ciphertext is valid or not. Essentially, this is because the redundancy in those 
schemes is secret 133 , which makes it difficult to perform a validity test before the 
plaintext has been recovered. By contrast, the identity-based approach is much 
more conducive to secure threshold decryption under active attacks, because its 
redundancy is public and can be checked non-interactively by the decryption 
centers without costly inter-communications |5J. 

Our scheme turns out to be very easy to turn into a non-interactive CCA2- 
secure threshold system. The reasons for this are twofold. First, since the security 
of our scheme does not depend on any integrity check, the difficulty of conducting 
such a check in a threshold setting should have no ill effect. Second, the algebra 
of the scheme itself turns out to be very propitious to secret sharing, because the 
secret key Sk is only used once in the decryption process, to compute C <— D sk . 

Thus, our scheme can be used as a basis for a threshold scheme, by splitting 
the secret key Sk into a number of random shares Ski , Sk n using Shamir’s 
secret sharing. The partial decryption centers would use those shares to produce 
decryption shares C* <— D Ski . With enough of those, the combiner can perform 
Lagrange interpolation “in the exponent” to recover the value of C = C ?' , 

where the are publically computable Lagrange coefficients. Once it knows C, 
the combiner can complete the decryption algorithm without further interaction 
with the decryption centers. 

3.6 Implementation on Curves 

Although our scheme generally relies on the Gap-DH assumption, it is possible to 
implement it in a computational group G where DDH is known to be easy (and 
CDH still believed to be hard): in this case the T>T)TL oracle can actually be im- 
plemented, and Gap-DH reduces to the usual CDH assumption. In such groups, 
the security of the scheme thus follows from computational Diffie-Hellman, which 
has of course been studied extensively. 

Elliptic curves equipped with an efficiently computable bilinear pairing are 
an obvious choice for the group G, because the pairing lets us decide (but not 
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compute) the Diffie-Hellman problem efficiently. (To be more precise, G will be 
a prime-order subgroup of the group of points on a pairing-friendly curve.) We 
refer to |0| and the abundant literature on pairings for details. 

On pairing-friendly curves, and more generally in any computational group 
with a bilinear map, the mere fact that the WH oracle could be implemented 
efficiently gives us a tight IND-CCA2 security reduction to the CDH assumption 
in the random-oracle model. In reality, we will never need to use or implement 
a pairing. Conceivably, an existential proof that an efficient pairing (or DDH) 
algorithm exists is all we need to relax Gap-DH into the weaker CDH assumption. 

4 Summary 

We have proposed a very simple public-key cryptosystem with the most compact 
ciphertext for a given level of exact CCA2 security, without relying on hybrid 
constructions. Earlier constructions with similarly compact ciphertexts required 
complex modes of operations for block ciphers and/or stronger assumptions. The 
ciphertext has no redundancy, and the scheme offers a tight security reduction 
(both efficacy-wise and efficiency-wise) to a classic complexity assumption (Gap- 
DH, or just CDH if the arithmetic is done on a pairing- friendly curve). 

We have utilized a few new tricks to achieve “direct” tightness without re- 
dundancy. These tricks are set in the random oracle model, but we managed 
to avoid one of the problems associated with the random oracle methodology, 
namely, the fact that, once instantiated, the hash function can be queried of- 
fline a practically unlimited number of times. Since our scheme’s security is not 
sensitive to the number of queries (below the birthday bound), exact security 
remains tight as long as the hash function is adequately modeled as a black box. 

Of course, it would be nice to construct a redundancy-free CCA2-secure 
public-key encryption system in the standard model (even with a polynomially 
sloppy security reduction). However, this appears to be very difficult, because 
without redundancy, it is not clear how the simulator could extract the answer 
from the decryption queries. In this respect, our scheme represents another in a 
long series of a priori surprising results that crucially rely on the random oracle 
methodology 1211 1 1231 1 6 . 

We hope that our scheme will appeal to the practioners of cryptography. Ideal 
uses for it include bandwidth-contrained environments where active attacks are 
a concern, such as radio systems that frequently transmit short messages. 
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Abstract. Whereas encryption schemes withstanding passive chosen- 
plaintext attacks (CPA) can be constructed based on a variety of com- 
putational assumptions, only a few assumptions are known to imply the 
existence of encryption schemes withstanding adaptive chosen-ciphertext 
attacks (CCA2). Towards addressing this asymmetry, we consider a 
weakening of the CCA2 model — bounded CCA2-security — wherein se- 
curity needs only hold against adversaries that make an a-priori bounded 
number of queries to the decryption oracle. Regarding this notion we 
show (without any further assumptions): 

— For any polynomial q, a simple black-box construction of g-bounded 
IND-CCA2-secure encryption schemes, from any IND-CPA-secure 
encryption scheme. When instantiated with the Decisional Diffie- 
Hellman (DDH) assumption, this construction additionally yields 
encryption schemes with very short ciphertexts. 

— For any polynomial g, a (non-black box) construction of g-bounded 
NM-CCA2-secure encryption schemes, from any IND-CPA-secure 
encryption scheme. Bounded-CCA2 non-malleability is the strongest 
notion of security yet known to be achievable assuming only the ex- 
istence of IND-CPA secure encryption schemes. 

Finally, we show that non-malleability and indistinguishability are not 
equivalent under bounded-CCA2 attacks (in contrast to general CCA2 
attacks). 

1 Introduction 

Encryption is often compared to a ‘secure envelope’. Though appealing as a 
metaphor, understanding encryption requires a more formal definition of security 
of the primitive. For this task, the notion of semantic security against adaptive 
chosen- ciphertext attacks (in short, IND-CCA2 security) captures the essential 
characteristics of secure envelopes. 

Under adaptive chosen-ciphertext attacks (CCA2), whose study was pioneered 
by Naor and Yung m, and Rackoff and Simon PSJ , security is required to hold 
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with respect to adversaries that have access to a decryption oracle. This should 
be contrasted to the traditional type of chosen-plaintext attack (CPA), where 
the adversary is required to act on its own without any additional help HI- 
While there are a number of candidate (practical) public-key encryption 
schemes known to be semantically secure against a CPA attack ca. designing 
ones that withstand a CCA2 attack is a delicate and difficult task. In the stan- 
dard model, there are essentially three approaches known. The first approach, 
put forth by Naor and Yung |22| in the early 1990s, and subsequently extended 
by Dolev, Dwork and Naor m, and later Sahai (2H1 and Lindell [20! • is based on 
the use of non-interactive zero knowledge for NP. This leads to schemes based 
on quite general cryptographic assumptions. The second is due to Cramer and 
Shoup jfil7!8| and is based on hash- proof systems. This leads to quite practi- 
cal schemes based on several concrete number-theoretic assumptions. The third 
and most recent approach is due to Canetti, Halevi and Katz [21 and relies on 
identity-based cryptography. 

To sum up, all the above approaches make use of additional assumptions to 
construct CCA2-secure schemes (apart from the existence of CPA-secure encryp- 
tion schemes). A fundamental open question is thus: 

Can any CPA-secure encryption scheme be transformed into one that 
is also CCA2 secure, without making additional complexity-theoretic as- 
sumptions? 


1.1 Our Results 

Towards addressing this fundamental question, in this paper we introduce a 
weakening of the CCA2 attack which we call a bounded-CCA2 attack. In such 
an attack, the adversary is restricted to making an a-priori bounded number of 
queries to the decryption oracle. This is indeed a reasonable model, since the use 
of encryption in many protocols (such as secure multiparty computation) can be 
upper-bounded to q decryptions. With this terminology, our main contributions 
are summarized below. Henceforth, unless otherwise mentioned, whenever we 
talk of CCA attacks, we mean adaptive chosen ciphertext attacks (CCA2), as 
opposed to the weaker lunch-time attacks (CCA1). 

Bounded CCA2 Semantic Security. Our first result is a simple and ef- 
ficient black-box construction of a public-key encryption (PKE) scheme that 
is semantically secure against a (/-bounded CCA2 attack (technically termed 
IND-q-CCA-secure), starting from any CPA-secure encryption scheme. Techni- 
cally, this result combines techniques from j.'i!9l . However, it appears that the 
implications for black-box constructions of chosen ciphertext secure encryption 
from semantically secure encryption, as we deduce them here, have not been 
reported before. 

Theorem 1 (Informal). For any polynomial q, there exists a black-box con- 
struction of an IND-q-CCA-.secwre encryption scheme from any CPA-secure en- 
cryption scheme. 
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The key size and the ciphertext size of this construction are quadratic in q and 
thus quite large; nevertheless, it demonstrates the feasibility of black-box con- 
structions of bounded-CCA2-secure encryption schemes from any CPA-secure 
scheme. Interestingly, this result stands in sharp contrast to the recent results 
of Gertner, Malkin and Myers m showing that “such” black-box constructions 
are impossible when considering standard (unbounded) CCA2-secure encryption. 
(The black-box separation result from H2| only holds for constructions where 
the decryption function of the CCA2 secure scheme does not make calls to the 
encryption function of the CPA secure scheme. Our black-box construction of 
(/-bounded CCA2 secure encryption falls into this category). 

We additionally show that if the underlying CPA-secure PKE scheme has cer- 
tain homomorphic properties, then we can construct a (/-bounded CCA2-secure 
PKE scheme with very short ciphertexts. In particular, in groups where the DDH 
assumption holds, we can give a (/-bounded CCA2 secure PKE scheme with only 
one group element of ciphertext expansion. In contrast, the best known DDH- 
based schemes such as the one by Kurosawa and Desmedt CHI which achieve full 
CCA2 security have two group elements plus a MAC. The length of the public 
keys in this construction are, however, still quadratic in q. 

Bounded CCA2 Non-malleability. A </-bounded-CCA2 non-malleable (in 
technical terms, NME-q-CCA-secure) encryption scheme is one that is “non- 
malleable” with respect to an adversary making at most q decryption queries. 
For this notion, we are able to show: 

Theorem 2 (Informal). Assuming CPA-secure public-key encryption schemes 
exist, for any polynomial q, there exists an N M E-q -CCA -secure encryption scheme. 
As far as we know, the notion of bounded-CCA2 non-malleability is the strongest 
notion of security for encryption schemes known to be achievable under only 
the assumption of CPA-secure encryption schemes. Furthermore, the length of 
both the the public-key and the ciphertexts grows linearly with q (instead of 
quadratically as in our previous construction) . However, this second construction 
makes a non-black-box use of the underlying CPA secure encryption scheme. In 
particular, we use a proof that several ciphertexts are encryptions of the same 
message, and this may require analyzing the encryption circuit to form a theorem 
statement. (On the other hand, even though our construction uses ZK proofs 
and thus costly MV reductions, in many cases, there exist efficient proofs — S 
protocols 0, for example — for the type of theorems we encounter). 

Relation Between Semantic Security and Non- malleability Against 
Bounded CCA2 Attacks. It is known that under a CCA2 attack, the other- 
wise weaker notion of semantic security in fact implies also non-malleability p. 
In the case of bounded-CCA2 security, however, we show that this equivalence 
does not hold. In particular, we show that (/-bounded-CCA2 security for any 
(fixed) q does not even imply non-malleability under the simple CPA attack. 
Theorem 3 (Informal). Assume CPA-secure public-key encryption schemes 
exist. Then, for every q, there exists an encryption scheme that is q-bounded 
CCA2-secure, but is not non-malleable (even under a CPA attack). 
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This separation of notions highlights the importance of directly proving non- 
malleability of our second scheme (which slightly complicates the analysis). 

1.2 Importance of These Results 

The notion of bounded CCA2 security which we present is a weakening of the 
traditional notion of CCA2 security. Since it is possible to achieve CCA2 security, 
one may then wonder why it is important to consider this notion. There are in 
fact two simple reasons: 

1 . There are many hardness assumptions (such as computational-Diffie-Hellman 
and many lattice-based hardness assumptions) for which we can only con- 
struct CPA-secure encryption schemes. Our results show how to transform 
those schemes into ones with much stronger security properties. Since no 
one knows how to achieve full (unbounded) CCA2 security under these as- 
sumptions, our result represents the state-of-the-art for encryption in that 
area. 

2. Being a weaker notion, bounded-CCA2 security may allow for more efficient 
constructions. Indeed, under the DDH assumption, we present a bounded- 
CCA2 scheme which is less than half the size of the smallest full-CCA2 
secure scheme. For certain low-bandwidth applications in which the size of 
the ciphertext is critical, this may be the best construction to use. 

Organization. After fixing some notation in 21 we formally define the no- 
tion of (/-bounded CCA2 security. Section (0 contains a black-box construction 
of a (/-bounded IND-CCA-secure encryption scheme, and Section 21 contains an 
optimized instantiation under the DDH assumption. Section ^contains a non- 
black-box construction of a (/-bounded NME-CCA-secure encryption scheme. Fi- 
nally, in Section 21 we present a separation between the definitions of semantic 
security and non-malleability under (/-bounded attacks. 

Publication Info. This paper is a merge of three independent preprints |5I1 fJ2Mj . 

2 Preliminaries and Definitions 

If S' is a set then s <— S denotes the operation of picking an element s of S 
uniformly at random. We write A(x, //,...) to indicate that A is an algorithm 
with inputs x, y, . . . and by z +— A(x, y, . . .) we denote the operation of running 
A with inputs ( x , //,...) and letting z be the output. We write A 0l ’° 2, '(x, y , . . .) 
to indicate that A is an algorithm with inputs x.y, . . . and black-box access to 

oracles <D\, O 2 , If A is a randomized algorithm, the notation A(x-. r ) means 

running A with input x and randomness r. 

Definition 1 (Encryption scheme). A triple PKE = (Gen, Enc, Dec) is a 

public key encryption scheme, if (1) Gen and Enc are p.p.t. algorithms and 
Dec is a deterministic polynomial-time algorithm, (2) Gen on input l k pro- 
duces a pair ( pk,sk ), where pk is the public-key and sk is the secret-key, (3) 
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Enc : pk X {0, 1}* — > {0, 1}* runs on input a public key pk and a message 
to £ {0, 1}* and produces a ciphertext c, (4) Dec : sk X {0, 1}* — > {0, 1}* U {_L} 
runs on input (sk, c) and produces either a message m £ {0, 1}* or a special sym- 
bol _L, f5)(Perfect Correctness) There exists a polynomial p(k) and a negligible 
function p(k) such that for every message m, and every random tape r e , 

Pr [(pk, sk) <— Gen(l fc ; r g ) : 3 r e , m s.t Dec s fc(Enc p jfc(m; r e )) ^ to] < p(k). 

where the probability is over the random choice of r g . That is, with high proba- 
bility over the keys generated by Gen, all valid ciphertexts decrypt correctly. 

Next, we define the notions of IND-q-CCA-security and N M E-q-CCA-security. 

Definition 2 (IND-q-CCA security). For a function q(k) : N — ► N, we define 
the security notion of indistinguishability against q-bounded CCA adversaries 
(IND-q-CCA). For an adversary A = (Ai,A 2 ) we define the advantage function 

Adv^ CCA (fc) = | Pr[Ex P p^g^ CA ' :l (ft) = 1] — Pr[Ex P p^g^ CA "°(fc) = 1] | 

where, for b £ {0,1}, Expp£g^ CA " 6 is defined by the following experiment. 

Experiment Exp^° K ' 7 {| :CA ’ f '(A;) 

(pk, sk) 4- Gen(l fc ) 

(Mo, Mi,Sti) 4- A^ ec{sk ’'\pk) s.t. | Mo | = |Mi| 
c* 4- Enc (pk, Mj,) 
b' <?-A% ec{sk ’' } ( c*,Stt) 

Return b' 

The adversary (Ai, A 2 ) is restricted to ask at most q(k) queries to the decryption 
oracle Dec in total in each run of the experiment, and none of the queries of A 2 
may contain c* . The scheme pke is said to be indistinguishable against q-bounded 
chosen-ciphertext attacks (lND-q-CCA-secure, in short) if the advantage function 
Advp^^ CA (fc) is negligible in k for all adversaries A = (Ai,A 2 ). 

We have the following relation to the standard security definitions for PKE 
schemes. Scheme pke is said to be (1) indistinguishable against chosen-plaintext 
attacks [Hj (CPA), denoted IND-CPA, if it is IND-O-CCA-secure, and (2) indis- 
tinguishable against chosen-ciphertext attacks j20| (CCA2), denoted IND-CCA, 
if it is IND-q-CCA-secure for any polynomial q(k). 

As was done above with indistinguishability, we extend the definition of non- 
malleability presented in m to consider g(fc)-bounded adversaries. 

Definition 3 (NME-q-CCA security). Let pke = (Gen, Enc, Dec) be an en- 
cryption scheme and let the random variable NME-q-CCAb(n, A, k, £) where b £ 
{0,1}, A = (Ai , A 2 ) and k, (. £ N denote the result of the following probabilistic 
experiment: 


Bounded CCA2-Secure Encryptk 


507 


N M E-q -CCA b ( pke, A, k,£) : 

(pk, sk) <— Gen(l fc ) 

(mo, mi, state^) «— Ai ec ^ sk ’ \pk) s.t. |mo| = |mi| 
y <- Enc pk {m b ) 

(ci, A 2 ec{sk, '\y, stater) 

Output (di, ...,de) whertd, = { Dec “^ tZfle 
pke = (Gen, Enc, Dec) is NME-q-CCA-secure for a function q(k) : N -» N i/, 
V p.p.t. algorithms A = (Ai,A 2 ) which make q(k ) total queries to the oracles 
and for any polynomial p(k), the following two ensembles are computationally 
indistinguishable: 

{NME-q-CCA 0 (PKE,Ak,p(k))} k£N & {NME-q-CCAi(pKB,./t,k > p(fc))} 

If q(k) = 0, then the encryption scheme is said to be NM E-CPA-secure. 

3 Construction of Bounded IND-CCA Secure Encryption 

In this section, we present a black-box construction of an IND-q-CCA-secure 
encryption scheme. The general outline of our construction is as follows. 

First, as demonstrated by Canetti, Halevi and Katz (3|, every identity-based 
encryption scheme can be transformed into a fully chosen-ciphertext secure en- 
cryption scheme. Second, an IND-CPA secure encryption scheme implies a “q- 
resilient” identity-based encryption scheme. (The notion of (/-resilient security in 
the context of identity-based encryption m means that the scheme guarantees 
security as long as at most q private keys are established). The latter result is 
only implicitly contained in a paper about key-insulated public-key cryptosys- 
tems by Dodis, Katz, Xu, and Yung jOj . A closer observation of the combination 
of the two results already reveals the construction of our IND-q-CCA-secure en- 
cryption scheme. Since both transformations are black-box, our main result can 
be obtained. However, it appears that the implications for black-box construc- 
tions of IND-q-CCA-secure encryption from IND-CPA-secure encryption as we 
deduce them here have not been reported before. 

Stateful versus Stateless Encryption. When one only considers stateful encryp- 
tion, the problem of constructing black-box IND-q-CCA-secure encryption be- 
comes trivial: the receiver’s public-key contains q independent public-keys pk { 
of the IND-CPA-secure scheme. For 1 < j < q, to encrypt the j th message, a 
sender uses the j th public-key pkj as a “one-time key” for the IND-CPA-secure 
encryption scheme, the state being j that is incremented after each encryption. 
However, this construction requires all participants to share and update the dy- 
namic state information j. (This is in contrast to signature schemes where the 
signer may maintain a private state). 

We circumvent this unrealistic state update assumption by “load-balancing” 
the use of instances of the IND-CPA-secure base scheme. The general outline of 
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our construction is as follows. We use the (/-resilient identity-based encryption 
construction implicitly given in P based on any I ND- CPA-secure PKE scheme. 
Using a transformation from [3J, this (/-resilient identity-based encryption scheme 
can be transformed into a PKE scheme. As we will see, the resulting PKE scheme 
is secure against (/-bounded chosen-ciphertext adversaries. 

Theorem 4. For any fixed polynomial q, there exists a black-box construction 
that, given any IND-CPA-secune scheme (kg, enc, dec), builds an IND-q-CCA- 
secure public-key encryption scheme (Gen kg , Enc kg ’ enc , Dec kg,dec ). 

Here we give a direct proof of this theorem that bypasses the notion of identity- 
based encryption altogether. We furthermore note that there are some techni- 
cal problems with the security proof of the implicitly contained (/-resilient IBE 
scheme from jO] that we fix in this iioteQ 

3.1 Building Blocks 

Cover-free families. If S,T are sets, we say that S does not cover T if 
S ^ T. Let d. q, s be positive integers, and let F = (P|) be a family 
of subsets of {1, . . . , d}. We say that family F is q-cover-free over {1, . . . , d}, 
if for each subset Ej £ F and each S that is the union of at most q sets in 
(Ei, ... , Fj_ 1; F i+1 , . . . ,F S ), it is the case that S does not cover Ej. Further- 
more, we say that E is /-uniform if all subsets in the family have size l. We use 
the following fact |1 1 II 7| : there is a deterministic polynomial time algorithm that 
on input integers s, q returns l. d, F where E = (E,;)i<,;< s is a /-uniform (/-cover- 
free family over {1, . . . , d}, for / = d/Aq and d < 16 q 1 2 log(s). In the following we 
let SUB denote the resulting deterministic polynomial-time algorithm that on 
input s,q,i returns Ej. We call Ej = SUB (s(k),q(k),i) the subset associated to 
index j 1 {1, . . . , s(k)}. 

For our construction we will need a cover-free family with the parameters 

s(k) = 2 k , d(k) = 16kq 2 (k), l(k) = Akq(k) . (1) 

One-time signatures. In our construction, we need a strong one-time signa- 
ture scheme ots = (Sigkg, Sign, Verify) (see fTH]i. We assume that the verification 
keys which are part of the output by Sigkg are bit strings of size k which we 
interpret as natural numbers in {1, . . . , 2 fe }. Strong one-time signature schemes 
can be constructed from (the key-generation algorithm of) any IND-CPA-secure 
encryption scheme via a black-box reduction (since a one-way function can be 
constructed from the key-generation algorithm, and one-way functions imply 
strong signature schemes |19l27j h 

1 The problem in the proof of Theorem 2 in (21 (only contained in the full version) is 

that their simulator (simulating the view of an adversary attacking the IBE scheme) 
sometimes is forced to abort. However, this forced abort is not independent of the 
adversary’s view in this simulation. This dependence could be exploited by an ad- 
versary that has a higher chance in breaking the IBE scheme only if the simulator 
aborts. We give a different simulation to overcome this problem. 


Bounded CCA2-Secure Encryptk 


509 


3.2 The Construction 

Let q(k ) : N — > N be a function. Our construction of the IND-q-CCA encryption 
scheme (Gen, Enc, Dec) with black-box access to the IND-CPA-secure encryption 
scheme (kg, enc, dec) is depicted in Fig. QJ In general we can also use any com- 
putationally secure all-or-nothing transform (e.g., the black-box construction 
from |2j based on one-way functions) to decrease ciphertext size. 

Public and secret keys have size polynomial (quadratic) in the maximal num- 
ber of decryption queries q(k). Also note that the upper bound q(k) must be 
known in advance as a parameter of the construction. 


Gen kg (l fc ) : Define s(k) = 2 k ,d(k) = 16 kq 2 (k),l(k) = 4 kq(k) as in Equation {IJ. 
For i = 1, . . . , d(k) run (pk t , ski) kg(l fe ). Output PK = (pk t , ..., pk d (fc) ) 
and SK = (ski , . . . , sk d (*,)). 

Enc kt ’ mc (PK,M): Create a random pair of one-time signing keys ( vk,sigsk ) «— 
Sigkg kg (l fc ). Let F v k = {.s i , . . . , s;(fc)} be the subset associated to verification 
key vk. Pick random Mi, . . . , Mq fc ) subject to M = Mi © ... © M ir k ) and run 
Cj <— enc (pk s . , Mj), for j = 1 , . . . , l(k). Sign the ciphertexts c = (ci, . . . , cq*,)) 
with sigsk by running cr <— Sign ks (sigsk, c) and output C = (c, vk, a). 

Dec kE ’ dec (5A’, (c = (ci, . . . , Ci(k)), vk, cr)): If Verify kg (nA:, c, cr) rejects, return reject. 
Let F vk = {si, . . . , s;(fc)} be the subset associated to vk. For j — 1, ... , l(k) 
run Mj <— dec (sk S:j , Cj) and output M m Mi© . . . ®M ;( k )- 


Fig. 1. Black-box construction of an IND-q-CCA secure encryption scheme 
(Gen, Enc, Dec) from any IND-CPA-secure scheme (kg, enc, dec) 

The following proves our main result, Theorem 01 

Lemma 1 . If (kg, enc, dec) is IND-CPA secure then (Gen kg , Enc kg ’ enc , Dec kg,dec ) 
as described in Fig. Q is IND-q-CCA secure. 

Proof. For any PPT adversary A against the IND-q-CCA security of (Gen kg , 
Enc kg ’ enc , Dec kg ’ dec ), we show, via a game-based proof, that *4’s advantage in the 
IND-q-CCA game is negligible. 

Let Game 0 be the IND-q-CCA game with adversary A and uniformly chosen 
experiment bit b. Let Xq denote the event that yl’s final guess is correct (i.e., 
Xo denotes that b' = b). For later games, let X it (i > 0) be defined analogously. 

^Adv^ CCA (fc) = |Pr[X 0 ]-i|. 

Game 1 is identical to Game 0, except that the verification key vk* for the 
challenge ciphertext is initially chosen, and all decryption queries with vk = vk* 
are rejected. 
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By reduction on the security of the signature scheme OTS, one can show that 

|Pr [Xi ] - Pr [X 0 ]| < Adv^fs^C*) . 

for a suitable adversary F, where Advo-pg^- for (k) is the probability that F 
breaks the existential unforgeability of the one-time signature scheme. 

Game 2 proceeds like Game 1, but we introduce some notation useful for 
later. Denote by C & = {c^\vk^\c rW) the i-th decryption request of A. Define 

Q--= U F vk^ 

for the sets F vk a) of pke keypairs associated with the respective i-th query. We 
know that F.„k* £ Q, so we can define j := min [F v k* \Q). Additionally, we 
choose (this can be done at the beginning of the game, right after vk* is fixed) 
uniformly and independently i € F v k • . Call FAIL the event that i ^ j. Note 
that 


Pr [ FAIL | X 2 ] = —j— = Pr [ FAIL ] , 

so the events X 2 and FAIL are independent, and in particular, Pr [ X 2 } = 
Pr [ X -2 | -iFAIL ] . Since we did not actually change anything, Pr [X- 2 ]= Pr [X- t }. 

In Game 3, we substitute A’s output b' with a random bit whenever FAIL 
occurs. Obviously, 

Pr[A 3 | -iFAIL ] = Pr [ X 2 | -iFAIL ] and Pr [ X 3 \ FAIL] = i 
Since Pr [FAIL] = (l — 1 )/l in Game 3 as well, we can establish that 


In Game 4, we immediately stop the experiment and set FAIL to true (hence 
immediately taking a random bit for A’s output) as soon as A asks for a de- 
cryption of a ciphertext with a verification key vk ^ vk* such that i £ F v k ■ Note 
that already in Game 3, such a query would have implied j ^ i and hence FAIL. 
Consequently, 

Pr[Xt] =Pr[X 3 ], 

Note that Game 4 can be run without knowledge of the secret key ski. 

In Game 5, the challenge ciphertext is prepared as follows. For encrypting 
the challenge message Mb with PKE, we first choose uniformly PKE plaintexts 
Mf , . . . , M*_ v M * +1 , . . . , M* and then the suitable 


M* :=M 6 ©0M r *. 
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Note that then, only the plaintext M* depends on the experiment bit b. This 
does not change the distribution of the whole vector M*, . . . , M*, and we have 

Pr[X 5 ]=Pr[X 4 ], 

On the other hand, Game 5 can be directly mapped to an adversary B on the 
IND-CPA security of pke. More concretely, B simulates Game 5, but substitutes 
pk.j with its own challenge public key, and submits as challenge plaintexts 

M 0 := M 0 © 0 M; and Mi := M x © 0 M*. 
rjti 

Then, Pr[Jfs] is precisely the success probability of B in the IND-CPA 
experiment 

|Pr[X 5 ]-i| = iAdv“ A (fe). 

Collecting probabilities shows that 

Advpi^ E q J ICA (fc) < l(k) ■ AdvpKE C B A (fc) + 2 • Advof.|^ for (fe) • 

Since Advp EE C g A and Adv^Tg^ 01 are negligible, this shows the claim. □ 

Remark 1. We stress that it is important for our construction that the number 
of subsets s(k) is super-polynomial in k. One could try to trivially build q(k)- 
bounded CCA secure encryption pke from CPA secure pke using a public/secret 
key vector of size q(k) and defining the subsets F t as {«}, for 1 < i < s(k) := q(k). 
For encryption, a message gets encrypted using pk vk , where vk G {1, . . . , q{k)} 
is one of the q(k) distinct public keys of PKE, and vk is a random verification 
key of the signature scheme. However, since there are only q(k) many possible 
choices of verification keys, one can break the scheme with probability by 
(trivially) breaking the signature scheme with probability ^y. 

Remark 2. It might be interesting to explore what (additional) security proper- 
ties PKE satisfies once invoked with a scheme PKE that itself is not only IND- 
CPA-secure, but, say, N ME- CPA-secure. Unfortunately, we cannot hope that pke 
is NM E-CPA-secure, independently of PKE’s security: say that adversary A re- 
ceives a challenge ciphertext C* = ( c*,vk*,a *) with c* = (ci, . . . , cj) and F vk * = 
{s*, . . . , s*}. Then A may be able to construct l(k) ciphertexts C < ' 1 \ . . . , G® such 
that CW is associated with a subset FW with s* £ FW ^ F ver k, and the vector 
cM consists only of O-encryptions except for c*. The XOR of the decryptions of 
G® is precisely the challenge plaintext, hence this is a successful malleability 
attack. 

We note that if we assume the IND-CCA1 security of pke, this proof also 
shows that the resulting scheme pke is secure against IND-CCA attackers who 
have full access to a decryption oracle before receiving the challenge ciphertext, 
but only limited access (q queries) to it in the second attack phase. 
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4 Bounded IND-CCA-Secure Encryption from DDH 

In this section we propose a construction of IND-q-CCA-secure encryption based 
on the Decisional Diffie Heilman (DDH) assumption. The construction follows 
the approach from the previous section; we make use of cover-free sets and (with 
the same parameters as in Section 0 set up d(k) independent instances of the 
(semantically secure) El-Gamal encryption scheme. We encrypt a message using 
a subset of the d(k ) keys, where the subset is determined by cover-free sets. Cer- 
tain homomorphic properties of El-Gamal encryption are exploited to shrink the 
ciphertext size down to one group element. (This stands in contrast to Cramer- 
Shoup encryption which requires 4 group elements, and the Kurosawa-Desmedt 
one which requires 2 group elements and a MAC). The main contribution of 
this section is to demonstrate the existence of such limited g(fc)-bounded CCA 
secure schemes with such an optimal ciphertext size. 

To instantiate our scheme we need the following building blocks: 

— A cyclic group G of prime-order p where the DDH assumption is believed to 
hold, i.e, the two distributions (g , g x , g y , g xy ) and (g,g x ,g v ,g z ) are compu- 
tationally indistinguishable, for random g £ G, and random x,y,z £ Z p . 

— A redundancy- free symmetric-key encryption scheme (E, D) which is secure 
against chosen-ciphertext attacks jS] . Such schemes can be constructed based 
on strong pseudorandom permutations (2S|- For simplicity, we assume that 
the key space of (E, D) is G. (In practice, we can convert K £ G into a 
random binary string by using key derivation functions jBj). 

— A hash function TCR : G — *• {0, l} k that is assumed to be target collision- 
resistant EP. 

Let G be a prime order group and g a random generator of G. The construction 
is given in Fig. ED Correctness is easy to verify. Public and secret keys have 
quadratic size in the maximal number of decryption queries q(k). The ciphertext 
overhead of the scheme (i.e., the difference between ciphertext and plaintext 
size) is only one group element c £ G. The ciphertext length of our scheme 
is considered optimal since it is the same as that of the CPA secure (original) 
El-Gamal encryption. 

Theorem 5. Assume TCR is a target collision-resistant hash function, G is a 
group where the DDH assumption holds, and (E, D) is a symmetric encryption 
scheme that is secure against chosen-ciphertext attacks. Then pke as described 
in Fig. 03 satisfies IND-q-CCA security. 

The proof of this theorem is very similar to the one of Lemma 0 and is omitted 
here. The idea is to prove that the underlying key encapsulation mechanism 
(KEM) is IND-q-CCA-secure under the DDH assumption. Using the KEM/DEM 
composition theorem jB], this implies the result. Intuitively, we can explain q(k)- 
bounded CCA security of the KEM part as follows: Given (g,g x ,g v ,h) £ G 4 , 
an algorithm B against the DDH problem randomly picks a from F t * where 
t* = TCR^), and sets X a <— g x . For all i £ {1, . . . , d(fc)}\{a}, B computes 
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Gen(l fc ) : Define s{k) = 2 k ,d(k) - Hikq 2 (k).l(k) = Akq{k). For i = l ,...,d(k) 
compute Xi = g Xi for random Xi € Z p . Output PK = (X \ , . . . , X d ( k f) and 
SK (j£lj ■ • ■ , %d(k)')' 

Enc (PK, M ): Compute c = g r for random r £ Z p . Let Ft be the subset associated 
to t s= TCR(c). Use symmetric key K = Xi) r to encrypt message M to 

iji <— Ejf(M). Output C = (e,i/i). 

Dec (SK, C — (c, ip)): Let F t be the subset associated to t = TCR(c). Reconstruct 
the symmetric key as K m c^*e p t Xi and decrypt iji to M <— D k(iIi). 


Fig. 2. An IND-q-CCA-secure PKE scheme based on DDH 


Xi 4- Z* and X t <— g Xi , and gives PK = (A-, , . . . ,X d ^) to another adversary 
A against the IND-q-CCA security of the KEM part. B also sets ( c*,K *) as a 
challenge which will be given to A, where c* = g v , and K* = h-]] i( - F ^^ a y(g y ) Xi . 
B outputs “h = g xv " if A outputs “real key”, or “h g xy ” otherwise. It is 
clear that for any query c, B can respond K = c^ ieF « Xi unless a e F t where 
t = TCR(c). Then, by a similar argument to that in Lemma d we can show that 
B breaks the DDH assumption. 

5 Construction of Bounded NME-CCA-Secure Encryption 

In this section, we construct an NME-q-CCA-secure encryption scheme using 
any semantically secure (I ND- CPA-secure) encryption scheme. The construction 
is the same as the DDN construction m and the construction of Pass, Shelat 
and Vaikuntanathan pa, except that the NIZK proof used is a “designated- 
verifier” NIZK proof (DV-NIZK) with “(/-bounded strong soundness”. Infor- 
mally, a designated- verifier NIZK proof is one where the verifier has some secret 
information that enables him to check the validity of a proof. A DV-NIZK proof 
is (/-bounded sound, if soundness holds even against an adversary who can query 
the verifier on at most q proofs and learn if the proofs are valid or not. We refer 
the reader to the full version for definitions and constructions of such designated 
verifier NIZK (relying on the construction from P1)0 

Because the security proof for this construction is so similar to the one 
from | 21 , we merely summarize the differences necessary to take care of the 
additional decryption oracle available to a g-CCA adversary. For a full proof, 
refer to the full version of this paper. 

Theorem 6. Assume there exists an I N D - C PA - secure scheme. Then, for every 
polynomial q, there exists an encryption scheme that is NME-q-CCA-secure. 

Proof idea: Recall that an encryption of a message m from the construction 
in m is of the form (c, ir, vk,cr), where vk := v i . . . Vk is a fc-bit verification-key 

2 For technical reasons we also require to slightly strengthen the zero-knowledge prop- 
erty of designated verifier NIZK of |21 ■ 
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for a strong one-time signature scheme, c = (ci, . . . , c*,) is a vector of encryptions 
of m where c,; is an encryption of m under the IND-CPA public-key pk v ., n is 
a DV-NIZK proof that all the encryptions in c are encryptions of the same 
message, and a is a signature of (c,7r) under a signing key corresponding to vk. 

The proof in m proceeds by defining hybrid experiments N M and N M E^ 2 -* 
and proceeding to show that the experiments are indistinguishable, and that if 
an adversary succeeds in breaking NMEj 2 \ it breaks the semantic security of the 
underlying encryption scheme. 

We will proceed in a completely analogous way, by defining experiments 
NME-q-CCA^ and NME-q-CCA^ for b 6 {0, 1}. The experiment NME-q-CCA^ 
proceeds like NME-q-CCAb except that the DVNIZK proof in the challenge ci- 
phertext is generated by the zero-knowledge simulator for the DVNIZK proof 
system. To answer the decryption queries, notice that each experiment itself 
knows all the secret keys, including the DV-NIZK key SP that is required to 
check the validity of a proof. 

If the two experiments are distinguishable, we can construct an adversary that 
breaks the adaptive zero-knowledge of the DVNIZK. Slightly more precisely, a 
theorem-chooser/distinguisher pair (A z k, D z k) on the DV-NIZK is constructed 
such that A z k internally simulates the first stage (up to the generation of the 
challenge ciphertext) of the NME/, experiment, and D z k internally simulates the 
second stage. A z k generates all encryption and signature keypairs on its own, but 
takes the DV-NIZK public key pp from the adaptive zero-knowledge experiment. 
Since we assume a DV-NIZK with a strong adaptive zero-knowledge property, in 
the corresponding reduction already A z y knows SP and can thus answer decryp- 
tion queries before the challenge ciphertext is known. This is the only difference 
from the proof of Claim lin|23. 

In Claim 2 of |2IJ, the probability for the event BADNIZK(Expt) that the 
adversary breaks the soundness of the DV-NIZK (in Expt € {NME*,, NME^, 
NME^}) must be shown negligible. For Expt = NME^, this is done by con- 
structing an adversary A s on the soundness property of the DV-NIZK. Here, 
A s internally simulates the complete NMEf, experiment (except for the final de- 
cryption of the forged ciphertext vector) and generates all keypairs except the 
DV-NIZK key on its own. The DV-NIZK public key pp is taken from the sound- 
ness experiment; since in the m CPA setting, no decryptions are necessary, 
this is sufficient. However, in our q-CCA setting, A s might need to answer up 
to q decryption queries in the NME-q-CCA experiment, and thus needs to check 
the validity of up to q DV-NIZK proofs. Fortunately, this is exactly what an 
adversary against the assumed c;- adaptive soundness property can do by using 
the “verifier-oracle” that checks the validity of proofs at most q times. 

Then, Pr [ NME-q-CCA^ J « Pr [ NME-q-CCAb ], follows similarly (only now 
by a reduction on the strong adaptive zero- knowledge property as before). 

The experiment NME-q-CCA^ is defined similarly to m- However, we 
cannot show Pr [ NME-q-CCA^ J = Pr [ NME-q-CCA^ j , but can only show 
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Pr J NME-q-CCA^ j » Pr [ NME-q-CCA^ j , which sufficient for the further ar- 
gument. The reason that we cannot show equality is that the view of an adversary 
in the Pr [ NME-q-CCA^ j experiments is identical for i = 1.2 only under the 
condition that the answers to CCA decryption queries do not differ (for i = 1,2; 
note that in experiment NME-q-CCA^, decryption is performed differently than 
in NM E-q-CCA^ 1 -*) . However, such decryption queries are answered differently 
only if event BadNIZK happens or if the adversary successfully forged a sig- 
nature. The probability that one of these events occurs in NME-q-CCA^ is 
negligible, and thus Pr [ NME-q-CCA^ j » Pr j^NME-q-CCA^ j follows. 

If the adversary succeeds in NME-q-CCA^, we can construct another adver- 
sary that breaks the semantic security of the underlying cryptosystem. The rest 
of the proof is completely analogous to that in M 

6 Separating NME-CPA from IND-q-CCA 

In this section, we show that under bounded chosen ciphertext attacks, non- 
malleability of the encryption scheme is not immediately implied by indistin- 
guishability. In particular, for any polynomial q, we exhibit an encryption scheme 
that is IND-q-CCA-secure but is not non-malleable under even a chosen plain- 
text attack (i.e., a malleability attack where the adversary makes no decryption 
queries). In contrast, it has been shown that unbounded IND-CCA security im- 
plies non-malleability (even against unbounded CCA attacks) |10ll . 


Gen'(l fc ) : Run Gen(l fc ) and get a pair of keys ( pk,sk ). Suppose sk is an Tbit 
string. Choose a random degree-g polynomial p(x) = p q x q + • • • + pix + sk 
with coefficients in GF(2 e ) and whose constant term is sk. Output pk' = pk 
and sk' = ( sk,p ). 

Enc '(pk,m) : Get c «— Enc (pk,m) and output (0, c). 

Dec '(sk, c) : Parse c as (a, C2). If ci = 0, output Dec(sfc, C2). Else, if C2 > 0, output 
p(c 2) and otherwise return 0. 


Fig. 3. An IND-q-CCA-secure PKE scheme pke' which is malleable 


Theorem 7. If there exists an IND-q-CCA secure cryptosystem pke, then there 
exists another IND-q-CCA secure cryptosystem pke' that is not NM E-CPA-secure. 

Remark. Theorem 0| shows that the existence of a semantically-secure cryp- 
tosystem implies the existence of an IND-q-CCA cryptosystem. Therefore, the 
“if” clause of the above theorem can be simplified. However, we choose to present 
it as above to highlight the point that IND-CCA does not imply NME-CPA. 
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Proof. Assume that there exists an encryption scheme pke = (Gen, Enc, Dec) 
that iss IND-q-CCA-secure. Then, we construct an encryption scheme PKE 7 = 
(Gen', Enc 7 , Dec 7 ) (given in Figure that is also IND-q-CCA-secure, but is not 
NM E-CPA-secure. The proof follows from the two claims shown below. 

Claim. (Gen 7 , Enc 7 , Dec 7 ) is IND-q-CCA-secure. 

Proof. Suppose that the claim does not hold. We use the adversary A that breaks 
the security of pke 7 = (Gen 7 , Enc 7 , Dec 7 ) to construct a (/-bounded IND-q-CCA 
attack against PKE = (Gen, Enc, Dec). The new adversary A! , on input pk, simply 
runs A(pk). When asked to decrypt a ciphertext (0, c), it forwards the query to 
its own decryption oracle. When asked to decrypt a ciphertext of the form (1, C2), 
it returns either 0 if C2 = 0 or a random value. Since A makes at most q queries, 
then A' will be able to answer all queries. The simulation is perfect because 
the degree- (/ polynomial p{) is 9-wise independent. This adversary A! succeeds 
with the same probability as A, which contradicts the assumption that pke is 
9-bounded secure. □ 

Claim. (Gen 7 , Enc 7 , Dec 7 ) is not NM E-CPA-secure. 

Proof. Without loss of generality, assume that the message space of pke include 
the bits 0 and 1. On input a public key pk, the adversary submits as a message 
pair, 0 and 1. 

Upon receiving a ciphertext c, the attacker first computes a = Enc (pk,c). It 
then returns the vector (a, /?i, ... , /3 q +i) where !3i = (1, i). 

Notice that the output of the experiment is the vector (c,p( 1), . . . ,p(q + 1)). 
The distinguisher D now works as follows. It first uses p(l), . . . ,p(q + 1) to 
interpolate the secret key sk, and then runs Dec(sfc,c) and prints the result as 
its output. 

The distinguisher ’s output in the NME 0 experiment will therefore be 0 and its 
output in the N M E 1 will be 1 , which shows that pke 7 is not even N M E- C PA-secure . 

As one final point, it may be that the message space of pke does not include the 
ciphertext — for example, the size of the ciphertext may be too big. This is easily 
handled. The adversary can simply encode c in a bit-by-bit fashion over many ci- 
phertexts, and the distinguisher can simply reconstruct c to perform its test. □ 
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Abstract. Since its introduction in the early 90’s, the notion of non- 
malleability for encryption schemes has been formalized using a num- 
ber of conceptually different definitional approaches — most notably, the 
“pragmatic” indistinguishability-based approach and the “semantical” 
simulation-based approach. We provide a full characterization of these 
approaches and consider their robustness under composition. 

Keywords: Public-key Encryption, Non-malleability. 


1 Introduction 

The basic goal of an encryption scheme is to guarantee the privacy of data. A 
good formalization of privacy is the notion of semantic security as defined by 
Goldwasser and Micali jGM84j . Intuitively, semantic security guarantees that 
“whatever a polynomial-time machine can learn about a message given its en- 
cryption, it can learn even without seeing the encryption.” 

When encryption schemes are deployed in more complex environments, the 
demands for security of encryption grow beyond just the basic privacy require- 
ment. Motivated by practical security requirements, the seminal work of Dolev, 
Dwork and Naor jl )l )N00j defined the notion of non-malleability — a qualita- 
tively stronger notion of security for encryption schemes. In addition to the 
normal “privacy” guarantee, non-malleability ensures that it is infeasible for an 
adversary to modify a vector of ciphertexts a\,. . . ,a n into other ciphertexts of 
messages which are related to the decryption of aq, . . . , a n . This stronger notion 
of security is critical for many practical applications. 

Two Formalizations. The notion of non-malleability for encryption schemes has 
been formalized using two different approaches: 

— The “Semantical” Simulation-based Approach. The definition pre- 
sented in the original work of jl )l )IN()()j is a so-called “simulation-based” one. 
The main idea is to capture the requirement that an adversary having access 
to ciphertexts (and potentially a decryption oracle in case of CCA1/CCA2 
attacks), will not be able to “cause more harm” than a simple adversary 
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that does not see any ciphertexts and does not have access to a decryp- 
tion oracle. This simulation-based definition of non-malleability is denoted 
SIM-NME, and like semantic security, the goal of this definition is to capture 
the “meaning” of non-malleability. As a result, it is often harder to directly 
prove that a scheme meets the simulation-based definition. 

The “Pragmatic” Indistinguishability-based Approach. Bellare et.al. 
present a “comparison-based” formalization of non-malleability |BI)PR.fi8| . 
This notion does away with the “simulator” used in jl ) I ) N t)0j and instead 
captures non-malleability through an indistinguishability-style definition. 
Other indistinguishability-based definitions appear in |BSfi9l IPSVOfij . We 
denote by IND-NME the indistinguishability-based approach to defining non- 
malleability. The goal of this indistinguishability-based approach is to pro- 
vide definitions that are easier to “work with.” 

Just as Goldwasser and Micali fOMS 1 show equivalence between simulation- 
based and indistinguishability-based definitions of secrecy, Bellare and Sahai 
jBSOfij (clarifying Essi) show an equivalence between the simulation-based 
and the indistinguishability-based approach to defining non-malleability. As we 
discuss later, their proof however makes certain implicit assumptions on the 
type of encryption schemes used. As far as we know, equivalences for general 
encryption schemes are not known. 

Composition and Invalid Ciphertexts. In practice, encryption schemes must 
guarantee security also when an adversary receives encryptions of multiple mes- 
sages. It is well known that for the traditional definition of secrecy, “single- 
message” security implies “multi-message” security - we say that the definition 
is closed under composition. It would be desirable to have a definition of non- 
malleability that composes (i.e., for which non-malleability for a single message 
implies non- malleability for multiple messages). 

It turns out that this property is highly sensitive to the way non-malleability 
is formalized. As pointed out by Pass, shelat and Vaikuntanathan |PSV()fij . there 
is some ambiguity in the original work of Dolev, Dwork and Naor |DDMH)j about 
how to treat an adversary that sometimes produces invalid ciphertexts as part of 
its output. Whereas the intuitive description of the “spirit” of non- malleability 
considers an adversary successful if it is able to output ciphertexts that are re- 
lated to the ciphertexts it receives, the formal definition does not consider an 
adversary who outputs an invalid ciphertext (even if this event is correlated 
with the input ciphertexts it receives). It is shown in |PSVM| that for the case 
of chosen-plaintext attacks, this (seemingly minor) issue becomes critical in cer- 
tain (traditional) applications, and is also essential for proving composability 
of non-malleability. In both situations a stronger definition, which does not au- 
tomatically fail an adversary which outputs an invalid ciphertext, is sufficient, 
whereas the weaker (traditional one) is not. We denote by SIM-NME', IND-NME' 
these stronger variants of SIM-NME, IND-NME (which are in-line with the defi- 
nitions of jPSVOBI IKSOfij ) . 
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1.1 Our Results 

We may thus broadly categorize definitions of non-malleability into two major 
groups: “simulation-based” and “indistinguishability-based,” and each with two 
sub-groups: “invalid-allowing” and “invalid-prohibiting.” In this paper we first 
fully characterize the relationship among the different definitional approaches 
outlined above. Secondly, we consider the robustness of each of the definitions 
under a natural (and highly desirable) notion of composition. Our motivation is 
to clarify the definitional imbroglio surrounding the notions. To so do, we present 
a unified way of defining non-malleability according the above-mentioned differ- 
ent approaches. We furthermore believe that our definitions provide the simplest 
and cleanest way to formalize non-malleability according to these approaches. 

Relations Between Definitions. Our results are as follows. 

1. The Case of Invalid- Allowing Definitions For the case of invalid- allowing 
definitions, we obtain a separation between the simulation-based defini- 
tion of non-malleability, SIM-NME', and indistinguishability-based defini- 
tion, IND-NME'. In particular, under CCA1 or CCA2 attacks, SIM-NME' 
is strictly stronger than IND-NME', whereas under CPA attacks they are 
equivalent. 

2. The Case of Invalid-Prohibiting Definitions For the case of invalid- 
prohibiting definitions, the simulation-based definition, SIM-NME is equiva- 
lent to the indistinguishability-based definition IND-NME, under all attacks 
(i.e., CPA, CCAl and CCA2). 

3. The Relation between Invalid- Allowing and -Prohibiting Definitions The first 
approach to defining non-malleability is strictly stronger than the second 
one. In fact, this holds under all attacks in the simulation-based notion, and 
under CCAl and CPA attacks for the indistinguishability-based notion. 

A full characterization of the different definitions is summarized in the table 
below. The starred results appear in either jDDNOOj and/or jBDPH.HR . 


ATTACK RELATIONSHIPS 

CCA2 SIM-NME' > IND-NME' = SIM-NME =* IND-NME =* IND 

CCAl SIM-NME' > IND-NME' > SIM-NME « IND-NME >* IND 

CPA SIM-NME' = IND-NME' > SIM-NME = IND-NME >* IND 


Results Concerning Practical Schemes and Restricted Message Spaces. Many 
practical and efficient encryption schemes only work for restricted message 
spaces. For example, the El Gamal and Cramer-Shoup schemes work for mes- 
sages that are elements of some finite group. While it seems natural for the above 
equivalences to also hold for this special class of encryption schemes, we show 
in 351 that this intuition is not true. In particular, we show that also for the case 
of CCA2 attacks, SIM-NME is strictly stronger than IND-NME. Thus, somewhat 
surprisingly, 
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For restricted message spaces, “simple” IND-CCA2 security does not imply 
the original semantical (simulation-based) definition of non-malleability. 

This stands in sharp contrast to the result of jDDMOOl IBDPR98| showing that 
IND-CCA2 indeed is equivalent SIM-NME for the case of full messages spaces. 

Why Simulation-Based Non-malleability Is Desirable. Many practical system 
attacks such as buffer overflows rely on creating a situation in which a process is 
fed unexpected input. With this in mind, consider an encryption scheme which 
has been dutifully designed so that an adversary cannot produce a ciphertexts 
which decrypt to a certain output value (say _L). A system designer might employ 
this scheme in a process, and rely on the fact that such inputs cannot be produced 
by the decrypting algorithm for the correctness of the process. 

Now suppose that the adversary might have a way to implement a CCA2 
attack. A cryptographer may be content to prove that their encryption scheme 
is IND-CCA2-secure. However, the systems’ practitioner may require something 
more. She would like the guarantee that even if the adversary has a decryption 
oracle, the adversary will be unable to “do any more harm” than if the adversary 
did not have the decryption oracle. In other words, the adversary will be unable 
to produce unexpected outputs in this case as well — and so the practitioner’s 
original assumptions are still valid. In essence, the situation calls for simulation- 
based security. 

Remarks. As shown by Canetti |Can()lj . a Universally Composable (UC) im- 
plementation of an “idealized” encryption functionality F p k e is equivalent to 
IND-CCA2-secure encryption. Furthermore, the UC definition of security is a 
semantical notion which provides security under arbitrary concurrent execu- 
tions; in particular UC security provides security with respect to man-in-the- 
middle attacks. However, the definition of F p ke allows a corrupted sender to 
make an honest receiver decrypt a ciphertext to any arbitrary string (and not 
only those in the domain of the encryption function) even if this was not possi- 
ble in a stand-alone setting ; as such UC encryption does not satisfy the above 
desiderata. We also mention that Goldreich |Gol()4| presents a similar semantical 
(simulation-based) definition of non-malleability, which is equivalent to (simple) 
indistinguishability under CCA2 attacks; this definition too does not prevent a 
corrupted sender from making an honest receiver decrypt a ciphertext to any 
arbitrary stringQ 

Additional Equivalences. To further clarify the semantical relation between the 
various notions, we present additional equivalences for certain restricted encryp- 
tion schemes: Concisely, a scheme which is IND-NME secure and for which it is 
possible to efficiently produce a ciphertext which decrypts to every output in 

1 On a high-level, the difference between SIM-NME and the definition of |( !ol()4| is that 
in the latter, the simulator is required to output plaintexts that are indistinguishable 
from the messages the adversary encrypts, whereas in the former the simulator must 
do the same as the adversary and output ciphertexts. 
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the range of the decryption function is also (multi-message) SIM-NME' secure 0 
Thus, for encryption schemes satisfying certain technical conditions all the above 
notions are equivalent. In light of this our separation results might seem “artifi- 
cial” 0 Note, however, that although these restriction are not implausible, they 
are far from being satisfied all “practical” encryption schemes. Indeed, whereas 
RSA-OAEP satisfies them (at the cost of “truncating” the message space), other 
schemes such as CS1 from |( does not. 

Composability of Definitions. The table below summarizes new and known 
results regarding the composability of of the various definitional approaches. 
A ^/-mark indicates that the definitions composes, X-mark indicates it does 
not, and ? indicates that the status is unknown. Pass, shelat, and Vaikun- 
tanathan |PSV()fij show the * result. Gennaro and Lindell |Gh()3j show the t 
result. All other results are new in this paper. These new results show that, 
contrary to folklore belief, indistinguishability-based definitions of encryption do 
not necessarily compose in the context of non-malleability. 



SIM-NME' 

IND-NME' 

SIM-NME 

IND-NME 

CCA2 

? 

V 

V 

V 

CCAl 

? 

V 

X 

X 

CPA 

V 

V* 

Xt 

X 


Related Work. The work of |HSfltij (clarifying the original work of jHSbbj l pro- 
vided a comprehensive study of equivalence between indistinguishability-based 
and simulation-based definitions. Their main results show such an equivalence for 
the case of invalid- allowing definitions. We here note that their result implicitly 
makes the assumption that the encryption schemes considered have the property 
that it is “easy” (i.e., there is a prescribed polynomial-time algorithm) to gener- 
ate invalid ciphertexts. In contrast, we consider general encryption schemes (i.e., 
without any such restriction). Interestingly, we show that the notions no longer 
are equivalent when doing so (furthermore, when considering restricted messages 
spaces, equivalence does not hold even if there exists a prescribed polynomial- 
time algorithm for generating invalid ciphertexts) . 

Nevertheless, we emphasize that proof techniques from DSfjbi are useful 

also when considering general encryption schemes. Indeed, our equivalence proof 
for the case of invalid-prohibiting definitions (i.e., showing that SIM-NME = 
IND-NME) borrows from their original proof 0 

2 This result generalizes the earlier results by IBSOfil . See Section II . 1 1 for more details. 

3 In a sense all separation results can be called either “artificial” or “trivial” — if they 
are satisfied by known schemes then they are trivial, otherwise they are “artificial” . 

4 The original published version of their results |BS99| claimed an equivalence be- 
tween SIM-NME and an indistinguishability-based definition of non-malleability due 
to IBDEBSSI. This claim was later retracted in the new version |BS()fi| (due to sub- 
tleties pointed out by Lindell). We mention, however, that our definition of IND-NME 
is (seemingly) different from the indistinguishability-based definition of IBDPE9&I . 
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We also mention that various other definitions of non-malleability for encryp- 
tion schemes have been proposed (e.g |HU)PH98llHS()f>l l^ 4ol04j 4. Our goal is not to 
fully characterize the relative strength of all variants of non-malleability. Rather, 
we highlight the differences between certain natural definitional approaches (i.e., 
simulation v.s. indistinguishability, and invalid- allowing v.s. invalid-prohibiting). 

2 Definitions 

Oracles. In a chosen-plaintext attack (CPA), the oracles Oi, O 2 return the empty 
string. In a CCA1 attack, the oracle 0\ (PK, •) returns the decryption of its input 
under public key PK (which is implicit by context). Finally, in a CCA2 attack, 
both oracles return decryptions with the exception that 0-2 (pk, y. •) returns _L 
when queried on a ciphertext contained in y. 

Comparing Definitions. If D1,D2 are two definitions, the notation D1 > D2 
means that: “Every scheme IT which satisfies D 1 also satisfies D2, and if there 
exists a scheme TT which satisfies D2, then there exists a scheme II' which also 
satisfies D2 but does not satisfy Dl.” We say that D1 = D2 if the set of schemes 
that satisfy Dl is identical to the set of schemes that satisfy D2. 

2.1 Simulation-Based Definitions of Non-malleable Encryption 
Definition 1 (SIM-NM E 7 Security). Define the following two experiments. 


SIM-NME / (TT, A, k,£, r) 
(pk, sk) <- Gen(l fc ) 
(M, s) <— Af 1 (pk) 

(mi, . . . , mf) 4- M(l fe ) 

y <— Enc(PK, m) 


SIM-NME'(I7, S,k,£,r ) 
(pk, sk) <- Gen(l fc ) 


(mi, . . . , mf) 4- M( l k ) 


((ci, . . . ,c r ),a) <- A% 2 (y,h(m),s) | ((ci, . . . , c r ), a) <- S 2 (h(m), s) | 




Output (M, m, (di , . . . , d r ) , a) Output (M, m, (di , . . . , d r ) , cr) 


Here M is a Turing machine that samples a vector of i{k) messages from a 
distribution. We say that M is an (p,£) -valid message-sampler if 1) the running- 
time of M(l k ) is bounded by p(k), and 2) there exists polynomials h,l 2 ,-,h 
such that M(l k ) always outputs message sequences (mi, . . . , m^j,)) such that 
\mai\ = h( l fc ) for all 1 < i < I{k). 

An encryption scheme IT = (Gen, Enc, Dec) is SIM-NME -secure if for poly- 
nomials I(k), r(k) andp(k), every polynomial-time computable history function 
h(-), every p.p.t. adversary A = (Ai, A 2 ) which runs in timep(k) and always out- 
puts a ( p,£)-valid message sampler, there exists a p.p.t. algorithm S = 
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that always outputs a (p,f) -valid message sampler, such that the following two 
distributions are computationally indistinguishable: 

{siM-NME'(I7,A,M(fc),r(fe))} fc » {siM-NME'(/7, S, k,£(k),r(k))} ^ (1) 

We also define a weaker notion of this definition named SIM-NME by requiring 
that the outputs of the two experiments are indistinguishable only for a certain 
“restricted” set of adversaries A. Define the following two types of adversaries: 

1. non-copying adversaries: A = {Ai, A 2 ) is said to be non-copying if in the 
above experiment A 2 never outputs a ciphertext c\, s.t., c, Gy. 

2. valid adversaries A is said to be valid if in the above experiment A only 
outputs ciphertexts that are in the range of the encryption function (on input 
pk), i.e., it holds that for all c*, there exists an di such that c, G Enc(PK, df). 

Definition 2 (SIM-NME Security). An encryption scheme 11= (Gen, Enc, Dec) 

is SIM-NM E-secure if for polynomials i{k), r(k) andp(k), every polynomial-time 
computable history function h(-), every non-copying, valid p.p.t. adversary 
A = (Ai,A 2 ) which runs in time p(k) and always outputs a ( p,i)-valid mes- 
sage sampler, there exists a p.p.t. algorithm S = (SijSy that always outputs a 
(p,£) -valid message sampler, such that the ensembles in equation are indis- 
tinguishable to any p.p.t. distinguisher D. 

Single-Message Versus Many-Message Security. We have presented definitions 
which allow the adversary to see a sequence of encrypted messages. Forboth 
the above definitions of non-malleability, a scheme satisfying the definition in 
the case when £(k) = 1 (but r(k) is still arbitrary), is said to be single-message 
secure. The question of whether any single-message secure scheme is also (many- 
message) secure is the question of composability of the definition. 

Remarks. Single-message SIM-NME security is a rewriting of the original DDN 
simulation-based definition of non-malleability. The main difference between 
our definition and definition of DDN is that we dispense with the relation 
R and instead use the notion of indistinguishability of the outputs. This dif- 
ference is inconsequential (since any p.p.t distinguisher can be described as 
a p.p.t relation and vice versa); however, this draws a parallel to the (up- 
coming) indistinguishability-based definition of non-malleability, which we term 
IND-NME. In this way, we emphasize the meaning of this definition: neither a 
ciphertext of a chosen message or a decryption oracle can substantially alter 
an adversaries ultimate “behavior.” Given this interpretation, it is also intuitive 
to see why the valid-adversary is somehow artificial. Moreover this restriction 
prevents the definition from composing — i.e., it is possible for a scheme to be 
single-message SIM-NME secure, but not SIM-NME secure. We also remark that 
our definition of single-message SIM-NME 7 security is syntactically equivalent to 
the SNM definition of non- malleability from jKSOfij . 

8 This interpretation comes from IDDNMI where they write “A produces... ciphertexts 
(fi, . . ,)...with R G Enc(di)...”. 
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2.2 Indistinguishablility-Based Definitions 

The following definition of non-malleability was introduced in jPSVOfij and is 
syntactically very close to the definition of [BS99I IBSOfij . 


Definition 3 (IND-NME' Security |PSV06j l. Let II = (Gen, Enc, Dec) be an 

encryption scheme and let the random variable IND-NMEj,(i7, A, k,£, r) where 
b G {0,1}, A = (A 1 ,A 2 ) and k,£,r G N denote the result of the following 
probabilistic experiment: 


I N D- N M E{ (J7, A, fc, £, r) : 

(pk, sk) <- Gen(l fc ) 

<— Af^PK) s.t. |mo,*| = |mi,t] 


yi <— Enc(PK, m&,i) for i G [1, i] 
(ci,...,c r ) A°*(y,s) 

Output (di, , d r ) where d* = 


copy if Ci€y 
Dec ( SK , Ci ) otherwise 


(Gen, Enc, Dec) is IND-NME'-secure ifM p.p.t. algorithms A= (Ai,A 2 ) and for 
any polynomials I[k) and r(k), the following two ensembles are computationally 
indistinguishable: 


1 1 N D- N M Eq (17, A, fe, l(fc) , r (&)) | ^ & {iND-NME} (J7, A,k,£(k),r(k))} ^ (2) 


We also introduce a weaker version of this definition, IND-NME, in which, as in 
the previous section, © need only hold for non-copying, valid adversaries A. 

Definition 4 (IND-NME Security). An encryption scheme (Gen, Enc, Dec) is 
IND-NME-secnre if V non-copying, valid p.p.t. algorithms A = (Ai,A 2 ) and 
for any polynomials I(k) and r(k), the ensembles in the equation © are com- 
putationally indistinguishable. 


Single-Message Security. For both the above indistinguishability-based defini- 
tions, we obtain the weaker notion of single-message security by restriction at- 
tention to the case when t(k) = 1. We also note that our definition of single- 
message IND-NME' security is a syntactical rewriting of (and thus equivalent to) 
the definition of IND-PAX of |BS()6| . 


3 Equivalences Between Definitions 
Theorem 1. SIM-NME = IND-NME for all attacks. 

The equivalence proof for this theorem uses ideas from Bellare and Sahai . 

Note however that it does not show that SIM-NME' = IND-NME' (as was the 
goal in Bellare and Sahai’s revised paper jBSOfij b Let us briefly recall the subtle 
issue in the original proof in (the same issue appears in the revised proof 

that SIM-NME' = IND-NME' in jBSOfij b In one step of the equivalence proof, the 
SIM-NME simulator must re-encrypt a vector of ciphertexts which the adversary 
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has produced. If an “aborting” adversary has produced an invalid ciphertext, 
it is not clear whether the simulator can proceed — in particular, the encryption 
scheme 17 might not provide an efficient method available to produce an invalid 
ciphertext (as was the case in the previous section). The proof does hold, how- 
ever, for a valid adversary who always produces ciphertexts that are in the range 
of the Enc function. 

In the full version, we present a direct equivalence proof for SIM-NME and 
IND-NME which is simple and extends to the case of many-message security. 
Moreover, the proof also leads to the following corollary relating SIM-NME' and 
IND-NME' used in Theorem 0| 

Corollary 1. If II is SIM-NME'-secure, then II is also IND-NME' secure. 

For completeness, we present a proof of the following theorem in the full version 
which has been partially shown by Dolev, Dwork, and Naor mm- 
Theorem 2. IND-NME'-CCA2 = IND-NME-CCA2 = IND-CCA2. 

In the weaker CPA attack, we show that the simulation and indistinguishabil- 
ity definitions for invalid ciphertext-producing adversaries are also equivalent 
by adapting a simpler version of Thm. QJ This implies that the construction 
from jPSVObj meets the strongest notion of non-malleability for the CPA at- 
tack. The proof appears in the full version. 

Theorem 3. Under a CPA attack, SIM-NME' = IND-NME'. 

4 Separating the SIM-NME' and IND-NME' Definitions 

Theorem 4 (Main Separation). Under CCA1 or CCA2 attacks, SIM-NME' > 
IND-NME' even for single-message security. 

Corollary □ shows that SIM-NME' implies IND-NME'. Thus, the main idea for 
this separation is to design an encryption scheme in which the set of messages for 
which a ciphertext can be efficiently computed and the range of the decryption 
function differ. As one concrete example below, we design an IND-NME' scheme 
in which it is nearly impossible for an adversary to produce a ciphertext which 
decrypts to _L (i.e., an invalid ciphertext) unless it has adaptive access to a 
decryption oracle. 0 We show the scheme so constructed meets the IND-NME' 
definition. However, it does not meet the SIM-NME' definition under a CCA1 
or CCA2 attack, because an adversary (with access to a decryption oracle) is 
able to produce a ciphertext that decrypts to _L whereas a simulator (without 
access to a decryption oracle) is unable. Thus, the outputs of the SIM-NME' and 
SIM-NME' experiments will be trivially distinguishable. The general idea behind 
these type of arguments first appears in jDDNOHj and is also used in | ILBDFR98| 
to show other separations. 

6 Another example would be a finite message space, i.e., a message space which in- 
cludes all strings in {0, l} fc and a scheme in which the range of the decryption 
function includes one k 2 bit string. We discuss this later in ; J3 
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Proof. Let 17 = (Gen, Enc, Dec) be an encryption scheme that satisfies IND-NME' 
under a CCA attack. Consider encryption scheme II' defined in the figure below. 
The key property of II' is that Dec 7 never outputs _L unless it is queried with 


Encryption Scheme n' 

Gen'(l fc ) : Run (pk, sk) <— Gen(l fe ). Pick random fc-bit string a and set Sk' <— 
(sk, a). 

Enc'(PK',m) : Run c <— Enc(PK, m). Output (1, 0 fc ,c) as ciphertext. 

Dec'(sK',c') : Parse c' as ( b,/3,c ) where 6 is a bit, (3 is a fc-bit string. 

1. If b = 0 and j3 = l fc , then output a. 

2. If 6 = 0 and /3 = a, then output _L. 

3. If 6 = 1 and fi = 0 fc , run m <— Dec(SK, c). If the output is _L, output 0. 
Otherwise, output m. 

4. Otherwise, output 0. 


the special “open sesame” string a, and a decryption oracle is necessary to learn 
the “open sesame” string. 

It is easy to see that W syntactically is an encryption scheme. The only issue 
is to argue that II' is perfectly correct, which follows because perfect correct- 
ness only applies to decryption of honestly encrypted messages (which are never 
invalid ciphertexts). 

Claim. II' = (Gen / , Enc 7 , Dec 7 ) meets the IND-NME'-CCA definition. 

Proof. Suppose there exists an adversary A! which breaks the IND-NME'-CCA 
definition for II' . Such an adversary can be used to construct an adversary A 
which breaks the IND-NME'-CCA definition for II as follows: 

The new adversary A simulates (Gen 7 , Enc 7 , Dec 7 ) for A' by picking a itself and 
using the oracles for Dec to answer queries. More precisely, on input a public key 
pk, A generates a fc-bit string a and feeds pk to A' . When A' asks decryption 
queries, A simulates the Dec' algorithm by using a as the second component of 
sk' and the decryption oracle in order to compute Dec(c, sk). When A' produces 
two challenge messages, A forwards these messages along, and when it receives 
a challenge ciphertext y, A feeds (1,0 k ,y) to A' . In the case of a CCA2 attack, 
A again simulates the Dec 7 function, and when A! finally returns an answer, 
A echoes it. A perfectly simulates the IND-NME'-CCA game for A', and thus 
succeeds with exactly the same probability as A'. 

Claim. II' does not meet the SIM-NME'-CCA definition. 

Proof. Consider the relation R(x. x. M, s) which is 1 if x is T and 0 otherwise. 

A CCA1 adversary with access to a decryption oracle can satisfy R by making 
a decryption query on the message (0, l fe , 0) to get the value a, and then by 
outputting the ciphertext (0, a, 0). 
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However, it is not possible for a simulator S without access to the decryption 
oracle to satisfy R. Such a simulator only has an exponentially small chance of 
guessing the correct a string necessary to produce _L. Thus, II' will not satisfy 
SIM-NME'-CCAl. 

4.1 More Separations for CCA1 and CPA Attacks 

We now show that I N D- N M E 7 is stronger than IND-NME when considering weaker 
CPA and CCA1 attacks. Recall that IND-NME 7 and IND-NME are different only in 
that the former protects against all PPT adversaries, whereas the latter protects 
against only valid PPT adversaries!! By combining the equivalence from The- 
orem n we also get a separation between IND-NME 7 and SIM-NME. For CCA2 
attacks, they become equivalent (See Thm. El). 

Theorem 5. IND-NME 7 > IND-NME for CCA1 and CPA attacks even for 
single-message security. 

Corollary 2. IND-NME 7 > SIM-NME for CCA1 and CPA attacks even for 
single-message security. 

Proof. (Of Corollary |21) By Theorem E3 IND-NME 7 > IND-NME for CCA1 and 
CPA attacks and by Theorem^ SIM-NME = IND-NME under all attacks. 

The main idea for the proof of Theorem 0 is to use the DDN-lite transforma- 
tion jl )wo99l INao()4j to transform an IND-NME-secure encryption scheme into 
one that remains IND-NME-secure fClalrn ETTIi . but is vulnerable to an IND-NME 7 
attack (Claim I I . 1 1) . 

We actually prove a stronger statement which gives us a way to transform an 
IND-CPA-secure encryption scheme into one that is IND-NME-secure. While this 
result has been claimed in |Dwo99L INao()4j . as far as the authors know, a proof 
has never been printed. Our proof also shows that the construction also trans- 
forms an IND-CCA1 scheme into an IND-NME-CCA1 scheme. The IND-NME 7 - 
attack against this scheme is an adaptation of the attack against DDN-lite, 
given in (ESHIEI- 

Proof, (of Theorem EJ Let II = (Gen, Enc, Dec) be an encryption scheme that is 
IND-CPA-secure (respectively, IND-CCAl-secure). Let E = (Gen siff , Sign, Ver) be 
a strongly unforgeable one-time signature scheme. Such a signature scheme can 
be constructed from one-way functions (The existence of one-way functions, in 
turn, is implied by the existence of a IND-CPA-secure encryption scheme). We 
construct a new encryption scheme Tfy from 77 and show that 77l satisfies the 
IND-NME definition but does does not satisfy IND-NME 7 . 

Claim. 77l meets the IND-NME definition. 


We say that an invalid ciphertext “decrypts” to T (Bot) and hence the title of the 
subsection. 


530 


R. Pass, A. Shelat, and V. Vaikuntanathan 


Encryption Scheme 77l 

Gen'(l fc ) : Run Gen(l fc ) 2k times with independent random coins to produce 2k 
pairs of keys (pk|, SK|) for i € [1, k] and 6 f {0, 1}. Let pk' m [ p K‘ 6 ] ie[fc])6e{0il} 
and SK = [sK b ] 

Enc'(m, pk') : Run Gen s , g (l fe ) to generate a key-pair (vksig, SKSIG) for the signa- 
ture scheme. Let vksig a fc-bit string, and let the i th bit of VKSIG be denoted 
VKSIG j . 

Run a <- Enc(PK7 KSIGi , m) for i 6 [1, k]. 

Let a <— Sign(sKSiG, (ci, C 2 , . . . , c*,)). 

Output [(ci, . . . , Cfc), vksig, a] as the ciphertext. 

Dec'(c', Sk') : Parse d as ((ci, . . . ,c fc ), VKSIG, <r). 

If Ver(vKSiG, (ci, . . . , Cfc), a) = reject, output _L. 

Otherwise, decrypt the Cj’s with the corresponding secret- keys to get corre- 
sponding messages rra. If all mfs are equal, output mi, else output _L. 


Proof. First, we show that an encryption scheme 77, constructed from 77 in the 
following way, meets the IND-CPA (respectively, IND-CCA1) definition (Proposi- 
tion HJ. II = (Gen, Enc, Dec) is constructed as follows: 

1. Gen runs k copies of Gen to generate public-keys pk = (PKi, PK 2 , . . . , pk*,) 
and corresponding secret-keys SK = (SKi, SK 2 , . . . , SK*,). 

2. Enc(m, pk) runs Enc(m, PKj) for all i £ [&], with independently chosen ran- 
domness, and outputs the vector of k encryptions [ci, C 2 , . . . , c*,] . 

3. Dec(c, sk) parses c as [ci, C 2 , . . . , c*]. Let = Dec(cj, SKj). If all the m, are 
the same, output mi. Otherwise, output _L. 

Secondly, in Proposition El we show that if II is IND-CPA-secure (respectively, 
IND-CCAl-secure), then II' is IND-NME-CPA-secure (resp., IND-NME-CCA1- 
secure). This proof appears in the full version. 

Proposition 1. If U is IND-CPA -secure (or I N D-CCA 1 -secure ), then so is 17. 

Proof. The proof is a straightforward hybrid argument. The only complication 
stems from the simulation of the oracle in the CCA1 case. When the adversary 
asks to decrypt a ciphertext c = (ci, 62 , . . . , Cfc), decrypt Cj using the secret-key 
SK j (if j ^ i) and using the decryption oracle for PKj (if j = i). 

Proposition 2. If n is IND-CPA-secure (respectively, IND-CCAl-secure,), then 
II L is IND-NME-secure (respectively, I ND-NME-CCA1 -secure,). 

Claim. Ill, is not IND-NME'-secureunder CPA and CCA1 single-message attacks. 

Proof. We specify an adversary A = ( Ai . yfy) and a distinguisher D such that 
D distinguishes between {IND-NME' 0 (I7, A, k, 1)} and (IND-NME) (71, A, fc, 1)}. 
A works as follows: 
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1. A\ outputs two arbitrary messages (mo, mi) and no state information. 

2. On input ciphertext c = [(ei, . . . , e*,), VKSIG, a] , let VKSIG := bib^-.-bk- 
A 2 produces a new ciphertext d as follows: A 2 generates a new signing 
key (sksig', VKSIG'). Let VKSIG 7 := b\U 2 . . . b' k . A 2 outputs ciphertext d = 
((aq, . . . , Xk), VKSIG', o') where 


Xi 



1 if b\ = bi 
(mo) otherwise 


and cr 7 is the signature of (aq, . . . , Xk) under the signing key SKSIG 7 . 


Notice that NMEo(JT, A, k, 1) = mo and NMEi(77, A, k, 1) = _L which can be 
easily distinguished by a distinguisher D that outputs 0 on mo and 1 on 1. 


5 Additional Separations with Finite Message Spaces 

Many encryption schemes such as El Gamal, RSA, Cramer-Shoup, and the league 
of schemes based on elliptic curves and bilinear maps only process messages from 
a finite message space such as the elements of some group G. In order to capture 
the security of such systems, Cramer and Shoup |( )SD8j redefine the encryption 
primitive to incorporate (a) a key-dependent message space Mpk and (b) a p.p.t. 
message tester algorithm Ai that on input l fe , pk, a, determines whether a is an 
element of the message-space for the security parameter l k and the public key 
PK. The encryption algorithm Enc : Mpk —* {0, 1}* now takes an input message 
from Mpk and produces general bit strings, and the decryption algorithm maps 
(0, 1}* to Mpk U _L. The correctness property is only required to hold over the 
message space. 

In this section, however, we note that if the message space is finite, then 
the previously proven equivalence relationship between the weaker notions of 
SIM-NME and IND-IMME no longer holds. While the particular counter-example 
that we use for the separation may seem contrived, this separation has practical 
significance since it runs against our “intuition” about IND-CCA2 security. 

The idea behind this separation is as follows. We construct an encryption 
scheme whose message space includes three elements, {0,1, x} where x is re- 
lated to the public key pk. Moreover, we make it difficult for an adversary to 
learn x unless it has a decryption oracle (notice, the definition for finite message 
space only requires the message space to be easily decidable, but does not re- 
quire it to be enumerable!!) From this point, the argument is the same. Namely, 
an adversary with an oracle can produce a (valid) ciphertext decrypting to x 
(therefore it is a valid adversary), whereas the simulator can only produce ci- 
phertexts decrypting to 0 or 1. The subtle difference between this argument and 

8 One could require enumerability of the message space. However, it is unclear such a 

restriction helps; and it is clear that it needlessly prevents us from using more exotic 

algebraic structures for encryption. 
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the one from ® is that in this one, it is not the simulator’s inability to pro- 
duce a ciphertext which decrypts to _L, but rather its inability to learn a special 
message in the message space which provides the separation. In the full message 
case, there are no such special messages since any string can be encrypted. This 
is the reason that the separation can be extended to valid adversaries. 

Let (Gen, Enc, Dec) be an IND-NME-secure encryption scheme for general mes- 
sage spaces, and let / be a one-way permutation!! 


Finite message space Encryption Scheme r 

Gen'(l fc ) : Run Gen(l fe ) to generate a key pair (pk, sk). Pick fc-bit random string 
a and compute (3 = f(a). Set sk' = (sk, a) and pk' — (pk,/3). The message 
tester M(m) works as follows: if m € {0, 1} or if f(m) a® /3, then return 1. 
Otherwise, return 0. (The messages space consists of {0, 1, a}). 

Enc'(m, pk') : if M(m) = 0, return an error. Otherwise, run c <— Enc(PK, m) and 
return (l,e). 

Dec'(c', sk') : Parse c' as (6, c), and sk' as (sk, a). If 6 = 0 then output a. Other- 
wise, output m <— Dec(SK, c). 


IND-NME security of the above finite-message space encryption scheme di- 
rectly follows from the security of (Gen, Enc, Dec). In order to violate SIM-NME, 
the adversary B must be non-aborting. Therefore, the final ciphertext it produces 
must be in the range of the Enc function (i.e., of the form (1, c)). Combined with 
the one-wayness of /, a simulator not having access to a decryption oracle will 
not be able to construct a valid encryption to the message a. 

However, a CCA1 attacker can easily do so by first querying (0,0) to find a 
(notice that the attacker can query the oracle on invalid ciphertexts, but cannot 
produce them as final output), and then honestly encrypting a. 

6 Special Cases for Equivalence 

The separation between SIM-NME' and IND-NME' hinged on the fact that the 
set of messages for which one can efficiently compute a ciphertext and the range 
of the decryption procedure differ. When these two sets are made to coincide, a 
scheme that is IND-NME 7 secure is also SIM-NME'-secure. Thus, we provide an 
easy way to prove that a scheme meets the strongest notion of non-malleability. 
As a corollary, we get that the main construction of jUDMOOj achieves the 
strongest form of security - that is SIM-NME'-security against CCA2 attacks. 

Theorem 6. Any (finite message-space) encryption scheme II which meets the 
IND-NME definition and for which there is an efficient algorithm F, which on 
input (pk, d) where d is a string in the range of Dec, produces a ciphertext c 
such that d <— Dec(SK,c), also meets the SIM-NME' definition. 

9 In fact a one-way function would suffice. We only use a permutation for ease of 
exposition. 
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This restriction could easily be added to many schemes by taking the message 
space to be some set {0, 1 for all keys generated by Gen(l fc ) (and by making 
it easy to generate invalid ciphertext). We note that the RSA-OAEP padding 
scheme does exactly this. 

7 Composition: Many Message Security 

In jPSVOfij . the authors show that IND-NME' security under CPA attacks com- 
poses. That is, if an encryption scheme is I N D- N M E'-secure when the adversary 
receives one encryption, it will also be I ND-NM E'-secure in a situation in which 
the adversary receives many encryptions. 

A natural question is whether the same phenomena occurs under stronger 
CCA1 and CCA2 attacks. In this section, we answer affirmatively as described in 
the following theorem. 

Theorem 7. A scheme 77 meets IND-NME' under attack atk iff it meets single- 
message IND-NME' under attack atk. 

Proof Sketch: The forward implication follows directly. For the reverse direction, 
we present a routine hybrid argument that uses an adversary (Ai,A 2 ),D with 
advantage e to construct a new adversary (A[, A' 2 ),D which breaks the single- 
message security with advantage r?/7 2 . 

Define a new experiment IND-NME)^ be j (77, A,k. t) indexed by an 7-bit 
string (bi, . . . ,b$) which is the same as IND-NME), (77, A, k, 7) except in the fourth 
line (change is underlined): j/* <— Enc(PK, rrib,.,) for i £ [1,7]. Define 


l-i 



and note that IND-NME' 0 = IND-NME' b(0) and IND-NME; = IND-NME' bw . Be- 
cause D distinguishes IND-NME), from IND-NME^, there exists some g* £ [1,7] 
such that D distinguishes IND-NME' B / fl ») from IND-NME' B ( ff „ +1 ) with advan- 
tage r]/£. This suggests the following adversary: A'°(pk) guesses value g £ [1,7] 
and runs A, (pk) — answering any decryption queries by using its own decryp- 
tion oracle — and waits to receive the two vector of messages (mo,i, • . . , rriQj) 
and (mi, i, . . . , Finally, A ' outputs (mo, 9 ,mi, s ) as its challenge pair and 
outputs state information containing g and me, mi. 

Adversary A' 2 ) (y, state'), on input an encryption y, first executes the re- 
placed line 4 of experiment IND-NME' B ^ (described above) with the exception 
that it uses y for the ( g + l)th encryption: y g+ \ <— y. This is possible because it 
receives the messages vectors mo and mi in state'. 

It then feeds the resulting vector of ciphertexts y to A 2 to produce another 
vector of ciphertexts (ci, . . . , cf) and uses this vector as its own output. To answer 
any oracle query c from A 2 , A' 2 uses the following procedure: If c = y 3 for any 
j G [1,7], then return _L. Otherwise, it uses its own decryption oracle to decrypt 
c and answers with the returned message. 
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Notice that IND-NME^A^Mfj) and IND-NME'gfg»)(Ai, A 2 ) are syntactically 
the same, as are IND-NME^A^, A' 2 ) and IND-NME' B ( s « +1 )(Ai, A 2 ). Because A' 
guesses g* correctly with probability 1 / i , £>’ s overall advantage in breaking the 
single- message non-malleability is g/I 2 . 

One can see here the importance of removing the “valid adversary” restriction 
for the hybrid argument to work. This follows because the reduction feeds a 
hybrid distribution to A 2 and, even if A? is itself a valid adversary for the multi- 
message experiment, A 2 may produce invalid ciphertexts when it is fed a hybrid 
distribution. Moreover, these _L values may form the basis for distinguishability 
in the hybrid experiment. Thus, one cannot guarantee that valid adversaries for 
the multi-message experiment can be transformed into valid adversaries for the 
single-message experiment. The separation in Claim FTTI exploits this issue FI 

SIM-NME and IND-NME Do Not Compose Against CCA1 or CPA Attacks 

We now show that (if there exist SIM-NME-secure encryption schemes) there is 
an encryption scheme II' that is SIM-NME or IND-NME-secure when the adver- 
sary is given one ciphertext as the challenge, but there is an adversary A that 
completely breaks the I ND-NM E-security of II' when given polynomially many 
ciphertexts as challenge. 

The encryption scheme W is simply the encryption scheme constructed in the 
proof of Thm. 0 (relying on the DDNLite construction) . Thm. 0 showed that 17 l 
is 1-message IND-NME-secure (and therefore 1-message SIM-NME-secure). The 
many-message attack against II' is a simple covering attack. (We mention that 
Gennaro and Lindell fCbO.'lj pointed out that the DDNLite encryption scheme 
is not secure under under many messages. Although they did not include a 
description of the attack, we believe they had a similar attack in mind.) 

Recall that an encryption of a message m under II' consists of many encryp- 
tions of m with respect to a randomly chosen set of k (out of 2k) public-keys. 
Given many (roughly k log k) independent encryptions of m, the one can essen- 
tially recover an encryption of m under all the 2k public-keys. This will enable 
us to construct a completely new encryption of m, and thus break IND-NME' 
security. 

Theorem 8. Let atk e {CPA, CCA1}. If there exists an encryption scheme that 
is IND-atk secure, then there exists another encryption scheme II' that is 1- 
message IND-NM E-atk-.secwre (respectively SIM-NME-atk-secwe), but is not even 
IND-NME-CPA-secure (respectively, SIM-NME-CPA-.secwre). 

Proof. Omitted 


10 This argument also applies to a different interpretation of “valid adversary” in which 
one forces the single-message experiment to return 0 when invalid ciphertexts are 
produced. In this case, when A2 produces invalid ciphertexts in the hybrid exper- 
iments, the value of both hybrid experiments ( b = 0, 1) will be 0 and the weaker 
definition will thus be met even though there might still be a distinguisher which 
could have distinguished the output of A' 2 . 
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SIM-NME and IND-NME Compose Under CCA2 Attacks 

Theorem 9. If an encryption scheme II is 1-message I N D- N M E-CCA2 -secure, 
then it is many-message IN D-N M E-CCA2 -secure. 

The proof of this theorem follows from Theorem El which shows that under 
CCA2 attacks, IND-NME and SIM-NME definitions coincide with the IND-NME' 
definition, and Theorem 0 which shows that IND-NME' composes under a many- 
message attack. 
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Abstract. Tiger is a cryptographic hash function with a 192-bit hash 
value. It was proposed by Anderson and Biham in 1996. Recently, weak- 
nesses have been shown in round-reduced variants of the Tiger hash 
function. First, at FSE 2006, Kelsey and Lucks presented a collision 
attack on Tiger reduced to 16 and 17 (out of 24) rounds with a com- 
plexity of about 2 44 and a pseudo-near-collision for Tiger reduced to 20 
rounds. Later, Mendel et al. extended this attack to a collision attack on 
Tiger reduced to 19 rounds with a complexity of about 2 62 . Furthermore, 
they show a pseudo-near-collision for Tiger reduced to 22 rounds with 
a complexity of about 2 44 . No attack is known for the full Tiger hash 
function. 

In this article, we show a pseudo-near-collision for the full Tiger hash 
function with a complexity of about 2 47 hash computations and a pseudo- 
collision (free-start-collision) for Tiger reduced to 23 rounds with the 
same complexity. 

Keywords: Cryptanalysis, hash functions, differential attack, collision, 
near-collision, pseudo-collision, pseudo-near-collision. 


1 Introduction 

Tiger is a cryptographic iterated hash function that processes 512-bit blocks and 
produces a 192-bit hash value. It was proposed by Anderson and Biham in 1996. 
Recent results in the cryptanalysis of Tiger show weaknesses in round-reduced 
variants of the hash function. At FSE 2006, Kelsey and Lucks presented a colli- 
sion attack on 16 and 17 (out of 24) rounds of Tiger. The attack has a complexity 
of about 2 44 evaluations of the compression function. Furthermore, they present 
a pseudo-near-collision for a variant of Tiger reduced to 20 rounds with a com- 
plexity of about 2 48 . These results were later improved by Mendel et al. in [3]. 
They show that a collision can be found for Tiger reduced to 19 rounds with a 
complexity of about 2 62 evaluations of the compression function. Furthermore, 
they present a pseudo-near-collision for Tiger reduced to 22 rounds with a com- 
plexity of about 2 44 . However, so far no attack is known for the full Tiger hash 
function. 

* The work in this paper has been supported by the Austrian Science Fund (FWF), 
project P18138. 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 536-1550,12007. 
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In this article, we present a 1-bit circular pseudo-near-collision for the full 
Tiger hash function with a complexity of about 2 47 hash computations and a 
pseudo-collision (free-start-collision) for a variant of Tiger reduced to 23 rounds 
with the same complexity. The attack is based on previous attacks presented 
in [2] and [3] . Note that in the attacks of Kelsey and Lucks and Mendel et al. on 
round-reduced variants of Tiger, the S-boxes of the hash function are addressed 
wrongly (big endian instead of little endian). However, this error can be fixed 
easily, because there is really a large amount of freedom in these attacks on 
round-reduced variants of Tiger. 

The remainder of this article is structured as follows. A description of the Tiger 
hash function is given in Section 2. In Section 3, we describe the basic attack 
strategy on Tiger based on the work of Kelsey and Lucks on round-reduced 
Tiger. We follow this attack strategy in Section 4 to construct a 1-bit circular 
pseudo- near-collision for Tiger with a complexity of about 2 47 . In Section 5, we 
show a pseudo-collision for Tiger reduced to 23 rounds with the same complexity. 
Finally, we present conclusions in Section 6. 

2 Description of the Hash Function Tiger 

Tiger is a cryptographic hash function that was designed by Anderson and Biham 
in 1996 [lj. It is an iterative hash function that processes 512-bit input message 
blocks and produces a 192-bit hash value. In the following, we briefly describe the 
hash function. It basically consists of two parts: the key schedule and the state 
update transformation. A detailed description of the hash function is given in [1]. 
For the remainder of this article, we will follow the notation given in Table 1. 


Table 1 . Notation 


Notation 

Meaning 

A B 

addition of A and B modulo 2°'* 

A B 

subtraction of A and B modulo 2 64 

A B 

multiplication of A and B modulo 2 64 

A®B 

bit-wise XOR-operation of A and B 

-<A 

bit-wise NOT-operation of A 

A«n 

bit-shift of A by n positions to the left 

A > n 

bit-shift of A by n positions to the right 

Xi 

message word i (64 bits) 

X i [even] 

the even bytes of message word X % (32 bits) 

A, [odd] 

the odd bytes of message word Xi (32 bits) 


2.1 State Update Transformation 

The state update transformation of Tiger starts from a (fixed) initial value IV 
of three 64-bit words and updates them in three passes of eight rounds each. In 
each round one 64-bit word X is used to update the three state variables A, B 
and C as follows: 


538 F. Mendel and V. Riji 


c = c®x 

A = A even (C) 

B = B odd(C) 

B = B mult 

The results are then shifted such that A, B, C become B, C, A. Fig. 1 shows one 
round of the state update transformation of Tiger. 



Fig. 1. The round function of Tiger 


The non-linear functions even and odd used in each round are defined as 
follows: 

even(C') = T a [co] © T 2 [c 2 ] 0 T 3 [c 4 ] 0 T 4 [c 6 ] 
odd(C) = T 4 [ci] 0 T 3 [c 3 ] 0 T 2 [c 5 \ 0 Ti[c 7 ] 

where state variable C is split into eight bytes c 7 . . . . , Co with c 7 is the most 
significant byte (and not Co). Four S-boxes Ti,...,T 4 : {0, l} 8 — > {0,1} 64 are 
used to compute the output of the non-linear functions even and odd. For the 
definition of the S-boxes we refer to [1] . Note that state variable B is multiplied 
with the constant mult £ {5, 7, 9} at the end of each round. The value of the 
constant is different in each pass of the Tiger hash function. 

After the last round of the state update transformation, the initial values 
A_i, F?_i, (7_i and the output values of the last round A 23 , F? 23 , C 23 are com- 
bined, resulting in the final value of one iteration (feed forward). The result is 
the final hash value or the initial value for the next message block. 

A 2 4 = A - 1 0 A 23 
B 2A = B_ i B 2 3 

C 2 4 = C - 1 c 23 
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2.2 Key Schedule 

The key schedule is an invertible function which ensures that changing a small 
number of bits in the message will affect a lot of bits in the next pass. While the 
message words X 0 ,...,X 7 are used in the first pass to update the state variables, 
the remaining 16 message words, 8 for the second pass and 8 for the third pass, 
are generated by applying the key schedule as follows: 

{X s , X 1B ) = Key Schedule (W 0 , . . . , X 7 ) 

(X 16 , X 23 ) = K ey Schedule (W§ , . . . , X 15 ) 

The key schedule modifies the inputs (y , . . . , Yi) in two steps: 

first step second step 


Yo = Y 0 (Y 7 ® A5A5A5A5A5A5A5A5) 

y = y 

y 


Y 1 =Y 1 ® To 

y = y 

(y © (yy) < 

£19)) 

y = y 2 y 

y = y c 

ey 


y = y (y ® ((-.y) < 19)) 

y = y 

y 


y = y ® y 

y = y 

(y © ((-y) ^ 

>23)) 

y = y y 

y = y c 

By 


y = y (y ® ((-.y) > 23)) 

y = y 

y 


y = y © y 

y = y 

(y © 0 1 23456789ABCDEF) 


The final values (y , . . . , y) are the output of the key schedule and the message 
words for the next pass. 


3 Basic Attack Strategy 

In this section, we briefly describe the attack strategy of Kelsey and Lucks to 
attack round-reduced variants of the Tiger hash function. A detailed descrip- 
tion of the attack is given in [2]. For a good understanding of our attack it is 
recommended to study it carefully. The attack can be summarized as follows. 

1. Find a characteristic for the key schedule of Tiger which holds with high 
probability. In the ideal case this probability is 1 . 

2. Use a kind of message modification technique developed for Tiger to con- 
struct certain differences in the state variables, which can then be canceled 
by the differences of the message words in the following rounds. 

These two steps of the attack are described in detail in the following sections. 

3.1 Finding a Good Characteristic for the Key Schedule of Tiger 

To find a good characteristic for the key schedule of Tiger, we use a linearized 
model of the key schedule. Therefore, we replace all modular additions and 
subtractions by an XOR operation resulting in a linear code over GF( 2). Finding 
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a characteristic in the linear code is not difficult, since it depends only on the 
differences in the message words. The probability that the characteristic holds 
in the original key schedule of Tiger is related to the Hamming weight of the 
characteristic. In general, a characteristic with low Hamming weight has a higher 
probability than one with a high Hamming weight. 

For finding a characteristic with high probability (low Hamming weight), we 
use probabilistic algorithms from coding theory. It has been shown in the past 
(cryptanalysis of SHA-1 [4]) that these algorithms work quite well. Furthermore, 
we can impose additional restrictions on the characteristic by forcing certain 
bits/words to zero. Note that this is needed to find suitable characteristics for 
the key schedule of Tiger. For an attack on the Tiger hash function we need 
many zeros in the first and last rounds of the hash function. 

3.2 Message Modification by Meet-in-the-Middle 

In order to construct a collision in Tiger reduced to 16 rounds, Kelsey and Lucks 
use a message modification technique developed for Tiger. The idea of message 
modification in general is to use the degree of freedom one has in the choice of 
the message words to fulfill conditions on the state variables. In the attack on 
Tiger this method is used to construct a certain differential pattern in the state 
variables, which can then be canceled by the differences of the message words in 
the following rounds. This leads to a collision in a round reduced variant of Tiger. 
In the following we will briefly describe this message modification technique 
according to Fig. 2. 

Assume, we are given Aj_i, i , Ci-i and A*_i, B *_ x , C*_ 1 as well as 
A* (A, ; ) and A®(X i+ i). Then the modular difference A m {C i+ i) can be forced 
to be any difference S with a probability of 2 -1 by using a birthday attack. 
We try out all 2 32 possibilities for A,;_ i [odd] to generate 2 32 candidates for 
A ffl (odd(.Bj)). Similarly, we try out all X,; [even] to generate 2 32 candidates for 
A ffl (even(Hj_|_i)). Subsequently, we use a meet-in-the-middle approach to solve 
the following equation: 

A a (C i+1 ) =mult [A ffl (Hj_i) A ffl (odd(.Bj))] A ffl (even(H i+ i)) = 6 . (1) 
The method can be summarized as follows: 

1. Store the 2 32 candidates for A® (odd (£?,;)) in a table. 

2. For all 2 32 candidates for A ffl (even(H i+ i)), test if some A ffl (odd(I3,;)) exists 
in the table with 

A ffl (odd(Hj)) = (A ffl (even(H i+ i)) 6 ) mult -1 A ffl (H,_i) . 

This technique needs about 2 36 bytes of storage and takes 2 33 evaluations of 
each of the functions odd and even. This is equivalent to about 2 29 evaluations 
of the compression function of Tiger. 
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Fig. 2. Message Modification by Meet-in-the-Middle 


4 A Pseudo- near-collision for Tiger 

In this section, we will present a 1-bit circular pseudo-near-collision for the Tiger 
hash function. Note that the difference in the final hash value is the same as in 
the initial value. In other words, we have a pseudo-collision in the compression 
function of Tiger after 24 rounds, but due to the feed forward the collision 
after 24 rounds is destroyed, resulting in a 1-bit pseudo-near-collision for the 
Tiger hash function. The attack has a complexity of about 2 47 evaluations of the 
compression function. In the attack, we extend techniques invented by Kelsey 
and Lucks in the attack on round-reduced variants of Tiger. 

We use the characteristic given below for the key schedule of Tiger to construct 
the pseudo-near-collision in the hash function. This characteristic holds with a 
probability of 2 _1 which facilitates the attack. 

(0, /, 0, 0, 0, I, 0) -f (0, 1 , 0, 1 , 0, 0, 0, 0) (0, 1 , 0, 0, 0, 0, 0, 0) (2) 

I denotes a difference in the MSB of the message word and I' := I 23. Note 
that the XOR-difference (denoted by A®) equals I if and only if the modular 
difference (denoted by A ffl ) equals I. 

In order to have a pseudo-collision in the compression function of Tiger af- 
ter 24 rounds, it is required that there is a pseudo-collision after round 17. Hence, 
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Table 2. Characteristic for a 1-bit pseudo-near-collision in the Tiger hash function 



i 

AAi 

ABi 

ACi 

AXi 

initial value 

-1 

I 

0 

0 



0 

0 

0 

I 

0 


1 

0 

0 

0 

I 


2 

0 

0 

0 

0 

Pass 1 

3 

0 

0 

0 

0 


4 

0 

0 

0 

0 


5 

* 

I 

0 

I 


6 

* 

I' 

* 

I' 


7 

* 

* 

* 

0 


8 

* 

* 

* 

0 


9 

* 

* 

* 

I 


10 

* 

* 

* 

0 

Pass 2 

11 

* 

* 

K ® 

I 

12 

* 

K+ 

L® 

0 


13 

0 

L+ 

I 

0 


14 

0 

I 

0 

0 


15 

I 

0 

0 

0 


16 

0 

0 

I 

0 


17 

0 

0 

0 

I 


18 

0 

0 

0 

0 

Pass 3 

19 

0 

0 

0 

0 

20 

0 

0 

0 

0 


21 

0 

0 

0 

0 


22 

0 

0 

0 

0 


23 

0 

0 

0 

0 

feed forward 

24 

I 

0 

0 



the following differences are needed in the state variables for round 14 of Tiger 
(see Table 2). 

A®(A 14 )=0, A®(B 14 ) = I, A®(Ci 4 ) = 0 (3) 

Constructing these differences in the state variables for round 14 is the most 
difficult part of the attack. We use the message modification technique described 
in Section 3.2 for this. In the following sections, we will describe all steps of the 
attack in detail. 

4.1 Precomputation 

The precomputation step basically consists of 2 parts. First, we have to find a 
set C of possible modular differences L + which are consistent to a low weight 
XOR-difference L®. A modular difference L + is consistent to L® if there exist 
p and p* such that p* © p = L® and p* p= L + . Let CJ be the set of modular 
differences L + which are consistent to the XOR-difference L® then we define the 
set C of possible modular differences as follows: 
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£={L + eC': L + = odd(Si 4 © I) odd(i?i 4 )} 

Note that the size of the set C! is related to the Hamming weight of L®, namely 
\C'\ = 2 hw ( /j9 ). In order to optimize the complexity of the meet-in-the-middle 
step used in the attack, we need an L® with low Hamming weight. In [2], the 
authors assume that an L ® with Hamming weight of 8 exists. However, the best 
Hamming weight we found for L® is 10. 

L® = 02201080A4020104 (4) 

In total we found 502 = \C\ possible modular differences (out of 1024 = \C'\) 
which are consistent to the XOR-difference L® given above. This facilitates the 
attack in the following steps. 

Second, we need a set K, of possible modular differences K + which are consis- 
tent to a low weight XOR-difference A'®. 

K. = {K + elC : K + = odd(Ri 3 ® L®) odd(Ri 3 )} 

where K! is the set of modular differences K + which are consistent to the XOR- 
difference K®. Of course, the choice of L® and the number of possible modular 
differences L + G C restricts our choices for Ri 3 [odd]. Nevertheless, we found 
2 = |/C| possible modular differences K + (out of 256 = \IC\) which are consistent 
to the XOR-difference K® given below. 

K® = 0880020019000900 (5) 

Note that the precomputation step of the attack has to be done only once. It 
has a complexity of about 2 • 2 32 round computations of Tiger. This is approxi- 
mately about 2 28 5 evaluations of the compression function of Tiger. 

4.2 Compute Bg , Cg, and Cio 

In this step of the attack, we have to compute Bg, Cg and C\ o . Therefore, we first 
choose random values for f ? 4 and Bg and compute Ag = (B 4 odd(Z? 5 )) mult. 

Since there is a difference in the MSB of Xg and no differences in £? 4 and C 4 , we 
also get Z\ ffl (R 5 ) = I and /4®(T 5 ) = A\ A 5 . Note that there is no difference 
in C 5 , since there are no differences in A 4 and B 5 [even] . 

Second, we choose a random value for Bg. Since there is a difference in 
zA®(X 6 ) = I' and no difference in C 5 , we also know the modular difference 
of Z\ ffl (£? 6 ) = (B e ® I') B 6 . Once we know Bg and B% = Bg A m (Bg), 

we can calculate Bg,Cg,Cio (and Bg , Cg , C* 0 ) by choosing random values for 
X-j, . . . ,Xg and Xio[even]. This step of the attack has a complexity of about 
12 round computations of Tiger and fixes the message words Xj, . . . ,Xg and 
Xi 0 [even], 

4.3 Constructing the XOR-Difference 4®(Cn) = K ® 

To construct the XOR-difference K® in round 11, we use the message modifica- 
tion technique described in Section 3.2. For all modular differences K + G K.', we 
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do a message modification step and check if A® (Cn) = K® . Since the Hamming 
weight of K ® is 8, this holds with a probability of 2 -8 . Furthermore, the mes- 
sage modification step has a probability of 2 _1 . Hence, this step of the attack 
succeeds with a probability of 2 -8 • 2 _1 ■ \K/\ = 2 _1 and determines the message 
words Xio[odd] and Xu [even]. 

Finishing this step of the attack has a complexity of about (12 + 2 32 + 2 8 • 
2 32 ) • 2 « 2 41 round computations of Tiger. This is approximately about 2 36 " 5 
evaluations of the compression function of Tiger. 


4.4 Constructing the XOR-Difference ^®(Ci 2 ) = L ® 

Once we have fixed X w [odd] and Xu [even] , we can calculate the state variables 
-Bio, Cio, C n (and B* 0 , C* 0 , Cn). To construct L® in round 12, we use the 
same method as described before. For all modular differences L + G we do 
a message modification step and check if .4®(Ci2) = L®. Since the Hamming 
weight of L® is 10, this equation holds with a probability of 2 -10 . Hence, this 
step of the attack has a probability of 2 -10 • 2 _1 ■ \C'\ = 2 _1 and determines the 
message words Xu [odd] and Xi2[even]. Finishing this step of the attack has a 
complexity of about (2 41 + (2 32 + 2 32 • 2 10 )) • 2 « 2 43 6 round computations of 
Tiger. This is approximately about 2 39 evaluations of the compression function 
of Tiger. 

4.5 Constructing the XOR-Difference /\®(Ci 3 ) = I 

Once we have fixed Xu [odd] and Xi 2 [even], we can compute Bn, Cn and C12 
as well as the according modular differences. In order to construct the needed 
difference A® (A13) = I in round 13, we apply again a message modification step. 
Since the XOR-difference and the modular difference is the same for differences 
in the MSB, we do not need to compute the list of modular differences that are 
consistent to the XOR-difference / for the message modification step. This step 
of the attack succeeds with a probability of 2 _1 and determines the message 
words Xi 2 [odd] and Xi3[even]. 

Once we have fixed the message words, we can compute -B12, C12 and C 13 as 
well as the according modular differences. In order to guarantee that A m (Bi 2) 
can be canceled by Zl ffl (odd(Ri3)), we need that Zl ffl (Ri 2 ) G K. Since the number 
of modular differences Z\ ffl (Si 2 ) = K + consistent to X® is \K'\ = 2 8 and /C = 
2, the probability that A m (Bn) G K. is 2 -7 . Hence, we have to repeat the 
attack about 2 • 2 7 times to finish this step of the attack. This determines the 
message words X 12 [odd], Xi3[even] and Xi3[odd] and has a complexity of 
about (2 43 6 + (2 32 + 2 32 )) ■ 2 8 « 2 516 round computations of Tiger. This is 
about 2 47 evaluations of the compression function of Tiger. 

Once we have fixed Xi 3 [odd] and X13, we can compute T13, _B 13 and Cyj, as 
well as the according modular differences. In order to guarantee that Z\ ffl (Rx 3 ) 
can be canceled in round 14 by Zl ffl (odd(l?i4)), we need that A m (Bi 3 ) G C. 
Due to the choice of L® and K® in the precomputation step this holds with 
probability 1. 


Cryptanalysis of the Tiger Hash Function 545 


Hence, we can construct a pseudo-collision in the compression function of 
Tiger after 17 rounds, respectively after 24 rounds with a complexity close to 
2 47 evaluations of the compression function of Tiger. 

4.6 Computing the Message Words X 0 , . . . , X? 

The attack fixes the message words X ?, . . . , Xj 3 and Xu [odd]. To compute the 
message words Xo, . . . , X7 we use the inverse key schedule of Tiger. Therefore, 
we choose a random value for Xi4[even] and compute X15 as follows: 

X 15 = (X 7 © (X14 X13)) (X14 0 0123456789ABCDEF) 

This guarantees that X? is correct after computing the key schedule backward. 

Since the characteristic we use for the key schedule of Tiger has a probability 
2 _1 to hold, we expect that we have to repeat this step of the attack (for a 
different value of Xi4[even]) about two times such that the characteristic holds 
in the key schedule of Tiger. This adds negligible cost to the attack complexity. 

4.7 Computing the Initial Value IV 

Once we have computed the message words Xo, . . . , X 7 , we can run the rounds 
6, 5, ... ,0 backwards to get the initial value IV. Since there is a difference I 
induced in round 1 by Xi, we have to inject the same difference in the initial 
value to cancel it out, namely 

A®(A_ 1 ) = I . 

Since the difference is in the MSB, this happens with probability 1. Of course, 
the feed forward destroys the pseudo-collision. After the feed forward we get the 
same output differences as in the initial values. 

A®(A 24 ) = A®(A_ 1 0A 23 ) = / 

Hence, we get a 1-bit circular pseudo-near-collision for the Tiger hash function 
with a complexity of about 2 47 evaluations of the compression function of Tiger. 
Note that for an ideal hash function with a hash value of 192-bit one would 
expect a complexity of about 2 90 to construct a pseudo-near-collision with a 
1-bit difference. 

5 A Pseudo-collision for 23 Rounds of Tiger 

In a similar way as we construct the pseudo-near-collision for the full Tiger 
hash function, we can also construct a pseudo-collision (free-start-collision) for 
Tiger reduced to 23 rounds by using another characteristic for the key schedule. 
For the attack we use the key schedule differences given below. It holds with 
probability 1. 


(0, 0, 0, /, 0, 0, 0, 1 ) — (0, 1 , 0, 0, 0, 0, 0, 1) -4 (0, 0, 0, 0, 0, 0, 0, 1 ) (6) 
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This characteristic for the key schedule of Tiger can be used in a similar way 
(as in the pseudo-near-collision for the full Tiger hash function) to construct 
a pseudo-collision in Tiger reduced to 23 rounds. The attack has a complexity 
of about 2 47 evaluations of the compression of Tiger. It can be summarized as 
follows: 

0. Precomputation: First, find a set of possible modular differences L + with a 
low Hamming weight XOR-difference L® which can be canceled by a suitable 
choice for B i 2 . Second, we have to find a set of possible modular differences 
K + with a low Hamming weight XOR-difference K ® which can be canceled 
out by a suitable choice for Bn . Note that we use in the attack the same value 
for L® and K ® as in the pseudo-near-collision attack on the full Tiger hash 
function. This step of the attack has a complexity of about 2 28 5 evaluations 
of the compression function of Tiger. 

1. Choose random values for Ag . Bg , C 2 and Xg, ... . X 7 and X 8 [even] to com- 
pute B 7 , C 7 and Cg. This step of the attack has a complexity of about 12 
round computations of Tiger. 

2. Apply a message modification step to construct the XOR-difference K® in 
round 9. This has a complexity of about 2 36 5 and determines the message 
words Xg[odd] and Xg [even] . 

3. Apply another message modification step to construct the XOR-difference 
L® in round 10. Finishing this step of the attack has a complexity of about 
2 39 and determines the message words Xg[odd] and Xio [even], 

4. To construct the XOR-difference I in round 11, we apply again a message 
modification step. This step has a complexity of about 2 40 and determines 
the message words Abo [odd] and Xu [even]. 

5. Once we have fixed the message words, we can compute Rio, C 10 and C'n 
as well as the according modular differences. Since the difference in R 10 can 
be cancel out with a probability close to 2 -7 (c/. Section 4.5), we have to 
repeat the attack about 2 7 times. Hence, finishing this step of the attack has 
a complexity of about 2 47 hash computations. 

6 . Determine Xu [odd] and Xi 2 [odd] according to the result of the precompu- 
tation step. This adds no additional cost to the attack complexity. 

7. To compute the message words Xo, . . . , X 7 , we have to choose suitable values 
for Xi 2 [even] and X 13 , . . . , X 15 such that Xs,X 6 and X 7 are correct after 
computing the key schedule backward. Note that X 3 and X 4 can be chosen 
freely, because we can modify Cg and C 3 such that Cg ® X 3 and C 3 © X 4 
stay constant. In detail, we choose arbitrary values for X 13 ,Xi 4 , X 15 and 
calculate X 13 , . . . , X 15 as follows. 

X 13 = (x 5 + (X12 + (Xu 0 (-X 10 > 23)))) © X 12 

X 14 = (x 6 - (X 13 © x 12 © HX 12 + (X u © (-x 10 > 23))) > 23))) + X 13 

X15 = (X7 © (X14 - X13)) - (X14 © 0123456789ABCDEF) 

This adds negligible cost to the attack complexity and guarantees that X 5 , 
Xq and X 7 are always correct after computing the key schedule backward. 
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8. To compute the initial chaining values A_\, B-\ and C_i run the rounds 2, 
X, and 0 backwards. 

Hence, we can construct a pseudo-collision (free-start-collision) for Tiger reduced 
to 23 rounds with a complexity of about 2 47 applications of the compression 
function. 


6 Conclusion 

In this article, we have shown a 1-bit circular pseudo-near-collision for the full 
Tiger hash function with a complexity of about 2 47 evaluations of the compres- 
sion function of Tiger. This is the first attack on the full Tiger hash function. 
Furthermore, we show a pseudo-collision for Tiger reduced to 23 (out of 24) 
rounds with the same complexity. Our attack is based on the attack of Kelsey 
and Lucks on round-reduced variants of the Tiger hash function. This work 
shows that the security margins of the Tiger hash function are not as good as 
one would expect. 
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A Collision Attack on Tiger Reduced to 16 Rounds 

In this section, we briefly describe the attack of Kelsey and Lucks on Tiger 
reduced to 16 rounds. Note that in the original description of the attack the 
wrong S-boxes are addressed. However, the attack can be easily modified to work 
with the correct S-boxes as well. Note that the modified attack has a slightly 
worse complexity, namely about 2 47 instead of 2 44 hash computations. For the 
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attack the same characteristic is used for the key schedule of Tiger as in the 
original attack. The characteristic is shown below. 

(7, 7, 1 , 7, 0, 0, 0, 0) -* (7, 7, 0, 0, 0, 0, 0, 0) (7) 

It has a probability of 1 to hold in the key schedule of Tiger, which facilitates 
the attack. The attack can be summarized as follows. 

0. Precomputation: Like in the pseudo-near-collision attack on Tiger described 
before, we have to find a set of possible modular differences L + with a low 
Hamming weight XOR-difference L® which can be canceled out by a suitable 
choice for B§. 

£ = {L+eC': L + = odd( 7 ? 6 ® 7 ) odd(R 6 )} 

Second, we have to find a set of possible modular differences 77+ with a 
low Hamming weight XOR-difference 77® which can be canceled out by a 
suitable choice for B 7 . 

K = {77+ € Kf : 77+ = odd (B b ® L ®) odd(R 5 )} 

Note that we assume in the attack that we can find a XOR-difference L® with 
Hamming weight of 10 and a XOR-difference 77® with Hamming weight of 8 
(as in the pseudo- near-collision attack on the full Tiger hash function). The 
precomputation step of the attack has a complexity of about 2 28 5 evaluations 
of the compression function of Tiger. 

1. Choose random values for Xq, . . . , X\ and X2 [even] to compute B\, C\ and 
C 2 ■ This step of the attack has a complexity of about 6 round computations 
of Tiger. 

2. Apply a message modification step to construct the XOR-difference 77® in 
round 3. This step has a complexity of about 2 36 5 hash computations and 
determines the message words X 2 [odd] and A3 [even] . 

3. Apply a second message modification step to construct the XOR-difference 
L® in round 4. Finishing this step of the attack has a complexity of about 
2 39 and determines the message words A3 [odd] and A4 [even] . 

4. To construct the XOR-difference 7 in round 5, we apply again a message 
modification step. Finishing this step has a complexity of about 2 40 and 
determines the message words X^odd] and X 5 [even]. 

5. Once we have fixed the message words, we can compute 7? 4 , C4 and C5 as 
well as the according modular differences. To cancel the difference in B 4 we 
need that A m (Bi) € 1C. Since we assume that the Hamming weight of 77® 
is 8, this has (in the worst case) a probability of 2 -7 . 

In order to guarantee that the difference in B 5 is canceled, we need that 
A ffl (7?s) £ C. Since L® has a Hamming weight of 10, this has a probability 
(in the worst case) of 2 -9 . Hence, we expect that we have to repeat the 
attack about 2 16 to finish this step. However, by choosing L® and 77® care- 
fully this can be improved. Form our analysis (for the pseudo-near-collision 
for the full Tiger hash function), we expect that this probability can be im- 
proved by a factor of 2 9 , resulting in an attack complexity of about 2 47 hash 
computations. 
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6. Determine X 5 [odd] and .X@[odd] according to the results of the precompu- 
tation step. This adds no additional cost to the attack complexity. 

Hence, a collision can be constructed in Tiger reduced to 16 rounds with a 
complexity close to 2 47 evaluations of the compression function. Note that the 
other attacks on round-reduced variants of Tiger can be adjusted in a similar 
way. 

B Collision Attack on Tiger Reduced to 19 Rounds 

In this section, we show how the collision attack on Tiger-19 presented in [3] has 
to be modified to work with the correct S-boxes. The complexity of the attack 
is close to 2 62 evaluations of the compression function of Tiger. To construct 
a collision in Tiger-19 the key schedule difference given in (8) is used. It has 
probability 1 to hold in the key schedule of Tiger which facilitates the attack. 

(0, 0, 0, 1, 1 , J, J, 0) -* (0, 0, 0, 1, J, 0, 0, 0) -»• (0, 0, 0, J, /, I, I, I) (8) 

Since the key schedule difference from round 3 to 18 is the 16-round difference 
used in the attack on Tiger-16, the same attack strategy can be used for the 
collision attack on Tiger-19 as well. The attack can be summarized as follows: 

1. Choose arbitrary values for X 0 , . . . , X 4 and compute the state variables As, 
.B3, and B 4 . 

2. Employ the attack on 16 rounds of Tiger, to find the message words X &, . . . , 
X 7 and Xg. X 9 [odd] such that the output after round 18 collides. 

3. To guarantee that Xg,Xg[odd] are correct after applying the key schedule, 
we use the degrees of freedom we have in the choice of Xq, . . . ,X 4 . Note 
that for any difference injected in Xq and Xi one can adjust X2 . X3 , X4 
accordingly such that A3, B3 = C 2 ® X3 and B 4 = C3 Q X4 stay constant. 
Furthermore, we get the following equations for Xg and Xg from the key 
schedule of Tiger. 

* 8 = To ^7 

X 9 = Yj (X 8 ffi (- -Yr < 19)) 

where 


Y 0 =X 0 

(X 7 t 

D A5A5A5A5A5A5A5A5) 

Yi = Xr C 

BY 0 


y 2 = x 2 

Yi 


t 3 = x 3 

(Y 2 (£ 

! ir'Yx « 19)) 

Y 4 = X 4 € 

BY 3 


t 5 = x 5 

y 4 


Y 6 =X 6 

(Y 5 s 

> (^4 » 23)) 


Y 7 = X 7 ® Y 6 
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To solve these equations the following method is used: 

(a) Choose a random value for Yo. This determines Yj and Xq. 

(b) Choose a random value for Ag[even]. This determines X\. 

(c) Adjust X 2 , X 3 , X 4 , accordingly such that A 3 , B 3 = C 2 ® X 3 and B 4 = 
C 3 ® X 4 stay constant. 

(d) Once we have fixed X 2 , X 3 , and X 4 , we have to check if Y 7 is correct 
(this holds with a probability of 2 -64 ). After repeating the method about 
2 64 times for different values of Yo, we expect to find a match. 

Hence, this step of the attack has a complexity of at about 2 64 key schedule 
computations and 4 • 2 64 round computations of Tiger. This is equivalent to 
about 2 62 evaluations of the compression function of Tiger. 

Thus, we can construct a collision in Tiger reduced to 19 rounds with a complex- 
ity of about 2 62 + 2 47 « 2 62 evaluations of the compression function of Tiger. 
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Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some 
new hash schemes have been proposed. Grindahl is a novel hash function, de- 
signed by Rnudsen, Rechberger and Thomsen and published at FSE 2007. It has 
the particularity that it follows the Rijndael design strategy, with an efficiency 
comparable to SHA-256. This paper provides the first cryptanalytic work on this 
new scheme. We show that the 256-bit version of Grindahl is not collision re- 
sistant. With a work effort of approximatively 2 112 hash computations, one can 
generate a collision. 

Keywords: Grindahl, hash functions, Rijndael. 


1 Introduction 

Hash functions are one of the most utilized primitives in cryptography. Basically, a 
hash function H is a function that maps an input of variable size to a fixed length 
output value. A cryptographic hash function has the additional feature that it must sat- 
isfy some security properties such as preimage resistance, second preimage resistance 
and collision resistance. For an ideal hash function with an n-bit output, one expects 
that compromising these properties should require 2", 2 n and 2”/ 2 operations respec- 
tively O . 

A possible way of building a hash function has been introduced by the pioneering 
work of Merkle and Damgard mm . using an iterative process: at each iteration, a 
fixed-length input function h (the compression function) updates an internal state called 
chaining variable with some part of the message. With some appropriate padding of the 
message to be hashed, the problem of building a collision-resistant hash function H is 
then reduced to the problem of building a collision-resistant compression function h. 
However, due to recent attacks H SH 711 4> against this iterative process, other hash 
domain extensions have been introduced 00 ■ 

Almost all the proposed hash functions define a compression function to be used with 
any hash domain extension algorithm. There are basically three different ways of build- 
ing a compression function. First, one can relate the security of h to a hard problem, 
such as factorisation 0, finding small vectors in lattices m, syndrome 
decoding m or solving multivariate quadratic equations 10 . The usually bad efficiency 

* The author is supported by the Japan Society for Promotion of Science and the French RNRT 
SAPHIR project (http://www.crypto-hash.fr). 

K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 55 1-|-567| 2007. 

© International Association for Cryptology Research 2007 


552 


T. Peyrin 


of these schemes is compensated by the proofs of security they provide. Another very 
active domain is the construction of secure compression functions based on block ci- 
phers. The problem of building a secure n-bit compression function from an ideal n-bit 
block cipher is more or less resolved 12712X171 and due to a need of bigger output size 
the cryptographic community is now concentrated on the problem of building a secure 
(. k x n)-bit compression function from an ideal n-bit block cipher 111 31261301 . Finally, 
the most common and efficient way of building a compression function is from scratch, 
for example the well known and standardized SHA- 1 E3 or MD5 E9. However, 
almost all of this type of hash functions have been broken by novel cryptanalysis re- 
sults 113 113 213313 41X1 . 

To anticipate further improvements of the attacks, the NIST is initiating an effort EH 
to develop one or more additional hash algorithms through a public competition, simi- 
lar to the development process for the Advanced Encryption Standard 01. In parallel, 
new hash functions have been published very recently, such as FORK-256 o (broken 
in ED), Radio -Gatun 0 or Grindahl EH- We show here that for the Grindahl 
hash function one can find a colhsion (resp. a second preimage) with a work effort of 
2 112 (resp. 2 224 ) hash computations approximatively, whereas 2"/ 2 (resp. 2”) is ex- 
pected for an ideal hash function. Note that the conceptors of Grindahl only claimed 
a (second) preimage security of 2" /2 operations, already providing an attack requiring 
lower than 2” operations. 

The paper is organized as follows. In Sectional we quickly recall the specification 
of the Grindahl hash function and in Section 0 we begin the analysis with various 
observations on the scheme and the general methodology that allows us to build a dif- 
ferential path. Then, in Section 0 we provide the first collision attack on Grindahl. 
Finally, we discuss possible patches in Section 0 and we conclude in Sectional 

2 Description of Grindahl 

Grindahl is a family of hash functions based on the so-called Concatenate-Permute- 
Truncate strategy, where in our case the permutation uses the design principles of Rl- 
INDAEL , well known for being the winning candidate of the Advanced Encryption 
Standard (AES) process 112311 . Two algorithms are defined, a version with a 256-bit out- 
put and a 512-bit one. Also, a compression function mode is given, taking only fixed- 
length inputs, to be used with any hash domain extension algorithm. We give in this 
section a quick description of the Grindahl hash function with a 256-bit output. For 
a more detailed specification of the algorithm, we refer to Ell- 

Let n = 256 be the number of output bits of the hash function H, with an inter- 
nal state s of 48 bytes (384 bits), and let M be the message (appropriately padded) to 
be hashed. M is split into rri blocks Mi, . . . , M m of 4 bytes each (32 bits). At each 
iteration k, the message block M \ will be used to update the internal state Sk-i- We 
call extended internal state Sk the concatenation of the message block Mk+i and the 
internal state Sk, i.e. §k = Mk+i\\sk- We thus have \sk\ = (4 + 48) X 8 = 416 bits. We 
denote by trunct(x) the least significant t bits of x. Let P : {0, l} 416 i — > {0, l} 416 be 
a non-linear permutation, and let sq be the initial internal state defined by sq = {0} 384 . 
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Then, for each iteration k with 0 < k < m, we have Sk = trunc^i (P(sk-i)). For the 
last iteration, the truncation is omitted: s m = P(s m _i). Finally, we apply eight blank 
rounds §k = P(sk-i), for m < k < m + 8, and the output of the hash function is 
trunc2w{s m+& ). 

The description is not complete since P has not yet been defined. This permutation 
follows the design principle of Rijndael (the reader is expected to be familiar with 
the transformation defined in the Rijndael specifications) and thus the extended state 
s is viewed as a matrix of bytes. However, instead of a (4, 4) bytes matrix, we have a 
matrix a of 4 rows and 13 columns in the case of the 256-bit version of Grindahl. 
The entry of the matrix a located at the i-th row and the j-th column is a byte denoted 
by a t .j . Thus, we have: 




C*0,0 £*0,1 

ai,o at,] 
£* 2,0 £* 2 ,] 
,c*3,0 £*3,] 


£*0,12 

£* 1,12 

C*2,12 

C*3,12 


By splitting the extended internal state s into 52 8-bit chunks xq. . . . , x§i, we can 
define the conversion from s to a by a.i. j = .x';+ 4 X j ■ This mapping has a natural inverse. 
Basically, before each iteration, the first column of a is overwritten with the incoming 
message block. Finally, the permutation P is defined as 

P(a ) = MixColumns o ShiftRows o SubBytes o AddConstant(a) . 

MixColumns. This transformation is defined as in the Rijndael specifications. 

ShiftRows. This transformation cyclically shifts bytes a number of positions along each 
row. Thus, the i-th row is rotated by Pi positions to the right, with po = 1 , pi = 2, 
P 2 = 4 and p 3 = 10. 

SubBytes. The only non-linear part of the permutation, exactly defined as the SubBytes 
function of RIJNDAEL. 

AddConstant. This function is simply defined by 0 : 3,12 < — 03,12 ® 01, where 01 is 
the byte-wise hexadecimal value of 1. 

Note that the 512-bit version of Grindahl is based on the same principle as the 
256-bit version, but the extended internal state is bigger (8 rows instead of 4). The com- 
pression function mode for GRINDAHL-256 (without optional input) simply consists in 
hashing 40 4-byte message blocks for each compression function call. 

3 Overall Analysis 

In this section, we study possible ways of finding a good differential path for the 256-bit 
version of Grindahl. More precisely, we look for a trail of k iterations starting from 
so and so that with two different messages M and M' we have the same hash output, i.e. 
trunc2tt{s m +&) = trunc25e(sm' +s) ■ Thus, we only care about collision and second 
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preimage resistance. Finding a differential path including the blank rounds seems hard 
since no message block is inserted during this last operation and thus we have very few 
control on this part. However, the problem looks much easier when trying to find an 
internal collision: a differential path excluding the blank rounds, i.e. s m = s m >. Here, 
we explain how to find such a path, with the constraint that we want this path to have a 
good probability of success. 

3.1 A Known Potential Attack and the Truncated-Differences 

In the original paper from FSE 2007, a section explains a potential attack method, 
pointed out by an anonymous reviewer. This method seems quite natural: the attacker 
does not look at the actual values of differences inserted in the bytes of the internal 
state, but only checks if there is a difference or not (this greatly simplifies the anal- 
ysis). We call this kind of zero or non-zero differences truncated-differences in refer- 
ence to the very similar truncated differences used by Knudsen in ®. Then, a chain 
of truncated-differences in which in every round the number of actives bytes (bytes 
with a non-zero truncated-difference) is low must be found. In this differential path, 
the truncated-differences can only be erased during two stages of an iteration: during 
a MixColumns transformation or during the truncation at the end of the iteration. In 
other words, the number of truncated-differences in a column can be reduced and their 
position changed by a clever use of the MixColumns transformation (note however that 
one can never erase all the truncated-differences of a column at a time). Otherwise, a 
truncated-difference is deleted if it goes to the first column of a at the end of the itera- 
tion, due to the truncation. Since at this stage of the attack the differential trail is already 
settled, one can not force anything for the truncation but one can play with the message 
blocks inserted at each iteration, in order to force a good behavior in the MixColumns 
processes (see Section 1*01) , In fact, the message bytes act as active/passive bits in the 
sense that new input bytes do not affect some parts of the internal state for a limited 
number of rounds (see Section mt . The feasibility of this method was left as an open 
problem, and we argue in Section mi that there is a better way of finding a collision on 
Grindahl. 

3.2 Analysis of Differences Propagation in MixColumns 

The MixColumns transformation used in Grindahl is the same as in Rijndael, and 
its MDS property ensures maximal difference propagation. More precisely, the sum 
of the number of active bytes of the input and the output is greater or equal to 5. In 
other words, the number of non-zero truncated-differences of the input and the output 
of MixColumns is greater or equal to 5. 

More formally, let V = ( A , B, C, D) be an input vector of four bytes A, B, C and 
D\ and let W = (A ' , B’ . C',D ') be an output vector of four bytes A', B', C' and D'. 
We denote the function MixColumns by MC : V i — ► W or MC : (A, B. C, D) i — > 
(A', B', C', D'). We also denote by A(Vi , Vi) the function returning 1 if the i- th byte 
of the 4-byte vectors V\ and Vi are different, and 0 otherwise. Finally, ND(V\,Vi) 
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Table 1. Approximate probability that two 4-byte input words with Dj different bytes on prede- 
fined positions maps to two 4-byte output words with Do different bytes on predefined positions 
through MixColumns. The values are base 2 logarithms. 



returns the number of such differences, i.e. ND(V\ , V 2 ) = #{i | A;(V. V 2 ) = 1}. We 
thus have that if Wi = MC(Vi) and W 2 = MC(V 2 ) with Vj. ^ V 2 , then 

ND(V!,V 2 ) + ND(W 1 ,W 2 ) >5. 

Another interesting property is that any input byte of MixColumns defines a permu- 
tation for any output byte. Thus, with W- t = MC{\ \), W 2 = MC(V 2 ) and V\ 7^ V 2 
drawn uniformly and randomly in {0, l} 4x8 , we have for any 1 < i < 4: 

2 1 i6 3 — 1 

P D = P[Di(Wi, W 2 ) = 0] = s 2“ 8 , (1) 

P^> = P[Di{Wx,W 2 ) = 1] = 1 - P D ~ 1 - 2 -8 . (2) 

Our goal is to compute the probability that a fixed mask of input truncated- 
differences maps to a fixed mask of output truncated-differences (later this will be 
often utilized in order to compute the probability of success of the differential path). 
For example, we want to be able to know the probability that given two input words 
Vi and V 2 distinct on their 2 first bytes give two output words different on their 3 
first bytes through MixColumns (note that this is slightly different from the event 
that any 2-byte difference input maps to any 3-byte difference output). We can com- 
pute those probabilities in two ways, formally or empirically by testing exhaustively 
all the input values: since MixColumns is linear, dealing with differences or values 
is the same (during the test, instead of looking for differences or non-differences, we 
checked for zero values or non-zero values). We give in Table [I] an approximation 
of those probabilities. 


3.3 Existence of Control Bytes 

Modifying some message bytes will obviously modify quite quickly the internal state, 
but not necessarily immediately. For each modified byte of the message Mfc, we give in 
Table 0 the columns of s (in its matrix representation a) affected by this modification 
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after 1, 2 and 3 iterations. Note that for more than 3 iterations, any message byte affect 
all the internal state. This active/passive bytes feature will allow us to attack different 
columns of different iterations independently. More precisely, we will control inde- 
pendently the behaviour of some MixColumns transitions thanks to the active/passive 
bytes. 


Table 2. Influences on the columns of the extended internal states for a modification of a byte 
of the message block Mk = ( Ak , Bk,Ck, Dk) incoming at iteration k. We denote by if the 
column is affected (or active) and void if not. The first table shows influences on the second 
on Sk and the third on Sk+i- 


I II 0 I 1 I 2 I 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 pn~Q2] 


A k 














B k 














c k 














D k 
















0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

A k 














B k 














c k 














D k 
















0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

A k 














B k 














c k 














D k 















3.4 General Strategy 

We now have all the necessary tools in order to build a truncated-differential path and 
evaluate its probability of success. But how to actually find one ? The natural intuition 
one would have (as the anonymous reviewer suggested) is to always maintain a low 
number of truncated-differences along the path (to increase the probability). However, 
finding one such path seems really difficult as one can convince oneself with Property 
1 from the original paper: 

Property 1. An internal collision for GRINDAHL-256 requires at least 5 iterations. 
Moreover, any characteristic starting or ending in the extended state with no differ- 
ence contains at least on round where at least half the extended state bytes (excluding 
the first column) are active. 

This property can be verified with a meet-in-the-middle exhaustive search, as explained 
in the original paper. However, with a small speed improvement of this algorithm, one 
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can check that an internal collision for Grindahl-256 requires at least 6 iterations. 
Another observation is that by introducing differences in the state, after a few iterations 
we quickly come to an "all-difference" pair of extended states. Moreover, this "all- 
difference" pair of extended states is almost stable: the probability that an all-difference 
pair of columns remains an all-difference pair of columns through MixColumns is ap- 
proximatively Pa = (1 — 2 -8 ) 4 , so for the twelve columns of the extended state (ex- 
cepted the first column) we have a probability of P^ 1 2 — 2 -0,27 . Thus, our first idea is 
to not search for a path starting from a zero difference but from an all-difference pair of 
extended states (which is very easy to get). The overwhelming probability P\ 2 allows 
us to start with as much valid starting states as we want. 


3.5 Finding a Truncated Differential Path 

Searching for a differential path starting from an all-difference pair of extended inter- 
nal states is quite easy. One method is to go backward almost exhaustively. Indeed, in 
Grindahl the truncated differences propagate in the forward direction as quickly as in 
the backward direction. More precisely, if we look for a collision at the end of iteration 
k, we try all the possible truncated difference masks for the message blocks inserted at 
iterations k, k — 1, etc. and all the possible transitions of truncated differences through 
MixColumns, until we come to an all-difference pair of extended states. This algorithm 
can be greatly improved with an early-abort strategy: we compute a lower bound on the 
cost of the current trail we are building (taking in account the control provided by the 
active/passive bytes, see Section 0) and we stop the search branch if the complexity of 
the attack is already greater or equal to 2 128 operations. We also stop the search if we 
go too far in terms of number of iteration^. 

Obviously, by always adding truncated differences to all the message blocks in- 
serted is the fastest way to reach this goal. However, we will use the message bytes 
inserted as control bytes to attack some parts of the differential path independently and 
thus increase the probability of success. Thus, it may be better not to go too fast on 
adding truncated differences in order to increase the total number of iterations during 
the differential path. This will increase the total number of message blocks inserted and 
therefore provide more control bytes. For example, we can find a path starting from 
an all-difference pair of extended internal states and requiring only 4 iterations to get 
a collision, with a probability of success of approximatively 2 -312 . However, another 
path requiring 8 iterations to get a collision, with a probability of success of approxima- 
tively 2 -440 may be better. Indeed, in the latter case, even if the probability of success 
has been divided by a factor 2 138 , we have inserted 8 message word pairs instead of 
only 4 in the former case. Thus, we get roughly 2 x 4 x 4 x 8 = 256 degrees of 
freedom compared to the former case (4 pairs of message of 4 bytes each). Thus, we 
obtained more degrees of freedom than what we paid for the probability drop. Obvi- 
ously, a limit exists: at some point, adding more iterations does not improve things 
anymore. 


1 In some particular cases, the overall complexity of the attack can remain stable even if the 

number of iterations of the differential path increases. 
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4 Finding a Collision 

In this Section, from the previous observations, we give a complete collision attack for 
the 256-bit version of Grindahl. 

4.1 The Differential Path 

Before describing the collision attack, we give in Figure[I]the differential path used and 
which has been generated thanks to a program implementing the previously explained 
technique (see Section FOli . This trail is the best found (among other possible candidates 
leading to the same complexity). Several candidates were possible and we kept the one 
providing the best collision attack. We denote by k the number of the last iteration 
of our differential path, i.e. the last line of Figure 0 First, one can check that all the 
MixColumns transitions are valid. This differential path has a probability of success of 
approximatively 2 _55x8 = 2 -440 , but we will see that we also have a lot of message 
blocks inserted allowing to attack some parts independently. 

Our aim is to find a pair of messages following the expected differential trail. For 
this, we don’t take care of each iteration one by one, but we deal with each of the 4- 
byte message words inserted one by one. Said in other words, we will fix the four bytes 
of a message word pair and check that the newly imposed MixColumns differential 
transitions are the ones expected in the truncated-differential path. If so, we continue to 
the next message word pair until we get a collision. 

In Table|3 we give all the dependencies of the MixColumns transitions with the mes- 
sage blocks inserted, used as control bytes during the differential path from Figure [I] 
The cost of all the transitions are given (see Section IT^Ii also with the number of con- 
trol bytes inserted at each iteration (see Section liO) . The second column of the Table 
gives the position of the columns of the state in which we force a differential transition 
during a MixColumns transformation, and the first column indicates in which iteration 
this event occurs. For each transition, we give in the third column its cost in terms of 
number of bytes (i.e. for a cost c, the transition has a probability of 2 _cxS ). Then, each 
of the seven other columns of the table represents a pair of message words that will be 
used as control bytes (the letters a or A, b or B, c or C and d or D represent respectively 
the first, second, third and fourth byte of the 4-byte message inserted). Capital letters 
means that we have 2 control bytes (we insert a difference for this block) and small 
letters means that we only have 1 control byte (no difference inserted for this message 
block). In the core of the table a dash or a cross represents the fact that the MixColumns 
transition indicated by the corresponding line is affected by the control byte indicated 
by the corresponding column. We divided those dependencies for the sake of simplicity, 
the crosses are the dependencies that will be used for the attack: they represent for each 
MixColumns transition the dependencies of the last involved message word. Finally, 
the last line gives the cost of each message word insertion in terms of number of bytes 
(the sum gives the total complexity of the attack). 

Note that a lot of the inserted message bytes provide two one-byte degrees of freedom 
(capital letters) in the case where we introduce a difference for this message block (we 
can make independently both messages of the pair vary). From Table 0 one can check 
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Fig. 1 . Truncated-differential path in 8 iterations starting from an all-difference pair of states. The 
dark cells mean that we have a non-zero difference for this byte, and the light cells stand for no 
difference. Each row represents an iteration. The first column gives the differences in the state 
just after its update with the 4-byte message word, and the second column gives the same state 
after application of the ShiftRows transformation. Finally, the third column represents the internal 
state just after application of the MixColumns function. Note that the AddConstant and SubBytes 
functions have no effect on the differential path, thus they are omitted here. Each first 4-byte 
column of the first column states represents the message words inserted at each iteration, that 
will later be used as control bytes. The first 4-byte column of the state after every MixColumns 
transition can have whatever difference mask since those bytes will be immediately truncated. 
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Table 3. Dependencies of the message blocks used as control bytes and inserted during the 
truncated-differential path from Figure Q] for a collision at the end of iteration k 
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that we need to test 2 14x8 = 2 112 all-difference pairs of internal state in order to have 
a good probability of obtaining a collision. More precisely, the collision attack is as 
follows. 
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4.2 The Collision Attack 

First step: start with the predefined initial value and compute some iterations with lots 
of truncated-differences in the incoming message blocks in order to quickly come to an 
all-difference pair of states denoted A after a few iterations. This step is omitted in the 
complexity analysis since very largely negligible. 

Second step: from this pair of states A, generate 2 14 * 8 = 2 112 all-difference pairs of 
states Ai, , A 2 u 2. This step requires 2 112 x 2 0,27 = 2 112,27 iterations computations. 

Third step: we continue the attack by fixing the control bytes iteration per iteration: 
for the message blocks inserted at the beginning of iterations k — 8, k — 7, k — 6 of 
our truncated-differential path from Table 0 we have more control bytes incoming than 
necessary. Indeed, we have for the messages inserted at iterations k — 8, k — 7 and 
k — 6, 8, 8 and 7 control bytes available respectively, whereas we only require 2, 7 and 
7 bytes of degrees of freedom respectively. More precisely, for each pair of message 
words M'k-i) inserted, its bytes are used in order to adjust the behavior of the 

MixColumns transitions where crosses appear at column Mk-i in Table OE- For each 
step, the total cost is equal to the sum of the costs of all the MixColumns transitions 
involved, minus the number of control bytes available from M^-i. Thus, at this point of 
the attack, we maintain 2 112 pairs of messages and states following the differential trail. 
For the message words inserted at iteration k — 5, we have 6 control bytes for 7 bytes 
of conditions, thus we only keep 1 out of 2 8 message pairs and we go to the ( k — 4)-th 
message word with 2 104 valid pairs. We continue in the same way for the three lasting 
message words k — 4, k — 3 and k — 2, having 7, 8 and 4 control bytes respectively!] 
and requiring 9, 14 and 9 bytes of conditions respectively. We thus expect to have one 
pair of messages following the differential trail with a good probability by starting with 
2i4x8 _ 2 112 all-difference pairs of states. 

Fourth step: add a (k + l)-th message block without truncated-difference in order to 
force a truncation after the last iteration k of the differential trail (the final blank rounds 
are done without truncation). 

4.3 Discussion on the Attack 

For the sake of clarity, we explain more precisely how to deal with the control bytes 
by giving an example. Let set ourselves when the attacker has to fix the message pair 
incoming at step k — 5 (seventh column in Table0). The previous message words have 
already been fixed during the attack, thus we only have to deal with the crosses in 
Table 0 Some MixColumns differential transitions have to behave as required by the 

2 Since in Table 0 the crosses represent the last message word involved for the transition, the 
previous dependencies (represented by a dash) are already fixed at this point. 

3 For the k — 2 case, we only have 4 control bytes and not 6 as indicated in Table 0 Indeed, 
since c and d are not involved in any MixColumns transition, they can not be considered as 
control bytes. 
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truncated-differential path, and this has a cost. For example, at the second column of 
the ( k — 5)-th iteration, we need a 4-truncated-differences to 3-truncated-differences 
transition and this will happen with probability 2 -8 , thus with a cost of 1 byte. How- 
ever, to make this event occur, we can use the message word inserted at iteration k — 5 
(more precisely its second byte) in order to randomize the instantiation of the transi- 
tion. Note that there are several ways of doing this step, and this is discussed below. 
We actually have a good probability to find 2 8 valid pairs of message bytes for this 
transition: two control bytes for one byte of condition. We do the same process for the 
seventh column transition of iteration k — 4 with the fourth byte of the message word: 
again two control bytes for one byte of condition. Then we identify the subset of the 
cross product of the two sets of 2 8 byte pairs such that the twelfth column transitions 
of iteration fc — 4 is verified (depending only on the two previously fixed pairs of mes- 
sage bytes), which costs one byte of condition. So, we maintain 2 8 valid possibilities. 
Then, we fix the first byte of the message word to deal with the third column tran- 
sition of iteration k — 4: since this costs one control byte for one byte of condition, 
we still maintain 2 8 valid possibilities. Finally, with the lasting byte of the message 
word (the third), we look for a good transition for the ninth column of iteration k — 3: 
this costs one control byte for two bytes of conditions but we had maintained 2 8 valid 
possibilities before. Thus, in the end, we have a good probability to find a valid mes- 
sage word for all the transitions cited. However, we didn’t take care of the eleventh 
column of iteration k — 4, which costs us one byte of condition. To summarize, this 
whole step will cost us 2 8 tries because we had a total of six control bytes for a total of 
seven bytes of conditions. Repeating this reasoning for all the message words inserted at 
each iteration of the differential path explains the 2 112 tries cost for the whole collision 
attack. 

One may argue that we indeed need to try 2 112 all-difference pairs of states but the 
basic operation is costly when playing with the control bytes. Indeed, with the previous 
example, some steps require to pass through 2 8 or 2 16 values of message words, each 
requiring only a SubBytes computation on a whole column, or one or two iteration 
processes (depending on which column of the state the transition occur). Even if it is 
still an attack, the complexity would be a slightly higher. This argument is true if the 
attacker uses a naive search method. However, unexpensive precomputations allow to 
reduce the computational cost of the search table lookups. For example, with as few as 
2 32 precomputation time and memory, one can generate all the informations needed to 
quickly execute the search needed during the third step of the collision search. Only a 
few table lookups would then be required. One might also wonder why we did not count 
the complexity of the few 4-truncated-differences to 4-truncated-differences transitions. 
Such transitions always have a great probability to happen P A = [ 1 — 2 -8 ) 4 ~ 2 -0,02 . 
Therefore they have very little effect on the complexity of the attack. This operation 
is clearly less costly than doing a whole iteration process. Moreover, the compression 
function mode performs 40 iterations for one compression call. Thus our attack actually 
runs in less than 2 112 hash computations, all the complexity coming from the generation 
of 2 112 all-difference pairs of states. 
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Note that we checked that this kind of attack also works with a complexity of at most 
2 120 hash computations for all the rotation constants providing the best diffusion, which 
seems to indicate that the internal state of Grindahl is not big enough. 

We provide in Appendix the extension of this technique for the second preimage 
case applied to the 256-bit version of Grindahl. However, note that the Grindahl 
conceptors only claimed a 128-bit security for (second) preimage resistance, showing 
that (second) preimages can be found in less than 2 256 operations. 

5 Discussion on the Attack and Possible Patches 

Most of the difficulty of the presented attack is to actually find a good differential 
path, and this is possible by letting the differences totally spread and start from an 
all-difference pair of states. Moreover, even if better differential trails may be found by 
maintaining a low weight of differences (which is hard to find), we think that the com- 
plexity will not drastically decrease compared to our attack. Indeed, the complexity cost 
grows quickly due to the last iterations of the differential trail (where very few control 
bytes are available), and these steps will remain very costly whatever the differential 
trail used. Said in other words, we can compute a lower bound on the complexity of 
an attack using any truncated-differential path and control bytes. For example, a short 
program gives us that a similar truncated-differential attack for the 256-bit version of 
Grindahl requires at least 2 104 operations (whatever the truncated-differential path). 
Note that this does not mean that such an attack exists. 

Thus it would be very interesting to think of a new version of GRINDAHL (with a 
comparable efficiency) that resists the presented attack but also any attack dealing with 
truncated-differences and control bytes. Thus, one wants the lower bound on the com- 
plexity of an attack using truncated-differential path and control bytes to be greater or 
equal to 2 128 operations, and even greater for a good security margin. If this is possible, 
an attacker that wants to find a collision would have to first find a differential trail and 
then to deal with the actual values of differences in order to lower the complexity. The 
SubBytes transformation would therefore discourage this kind of attack and we would 
obtain a hash function with a strong security argument. A new GRINDAHL version with 
such a property and a reasonable efficiency could be designed by adding some more 
columns in the states. The question of the number of the columns to be added or other 
possible patches is left open for future researches. 

6 Conclusion 

We showed in this work that the 256-bit version of Grindahl is not collision resis- 
tant. By introducing a non-intuitive technique in order to find a good differential path 
and with a careful use of the control bytes available, we presented an attack finding 
collisions with no more than 2 112 hash computations. We believe that such a reasoning 
would apply for the 512-bit version of Grindahl, even if the search space for a differ- 
ential path in this case would be much bigger. Finally, we provided possible patches for 
the 256-bit version of Grindahl that may lead to new versions with stronger security 
arguments. 
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Appendix 

Extending the Collision Attack to Second Preimage Resistance. Our previously ex- 
plained collision attack has a nice feature for an attacker: one does not care about the 


566 


T. Peyrin 


■ 

■ ■ 

, L" 


IV 


mm L 

_ F 

.mi ' 

mi 

Ml 3 6 

iHa 

H E. 

6 7 8 9 10 11 12 


Fig. 2. Truncated-differential path in 4 iterations starting from an all-difference pair of states, to 
be used for a second preimage attack 


actual values of the differences. Thus, we have very few constraints during the dif- 
ferential path. This remark allows us to extend our collision attack to second preimage 
resistance if the second preimage challenge has a reasonable number of message blocks. 
For example, let us look at the differential path from Figure 0 If one wants to find a 
second preimage using this path, only the number of control bytes will change as com- 
pared with the collision attack case: when we previously had two control bytes because 
of the insertion of a non-zero truncated-difference (capital letters in Table 0, we only 
get one control byte since the first message block is fixed by the challenge. For the same 
reason, when a zero truncated-difference is inserted, we have one control byte for the 
collision case (small letters in Table 0) and we have no more control byte in the second 
preimage case. 

Using exactly the same techniques as for the collision attack, one can find a second 
preimage in approximatively 2 28x8 = 2 224 hash computations whereas 2 256 hash com- 
putations should be required for an ideal 256-bit hash function. The drawback of this 
method is that we require the challenge to contain enough message blocks in order to 
have enough iterations to follow our differential path (around 8 iterations: 3 to reach an 
all-difference pair of states, 4 to follow the path from Figure El and 1 to force the trun- 
cation at the end of our differential trail). Moreover, we need approximatively 7 more 
iterations if we also take in account that we need to generate 2 224 all-difference pairs of 
internal state to pass the differential trail. Thus, our attack works for a challenge of at 
least 15 message words. 

Note that the Grindahl designers only claimed a 2 128 security for their 256-bit ver- 
sion, and provided in their original paper a (second) preimage algorithm requiring 2 176 
operations and memory with a meet-in-the-middle reasoning on the internal state size. 
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Table 4. Dependencies of the message blocks used as control bytes and inserted during the 
truncated-differential path from Figure |5| in a second preimage attack, for an internal collision 
at the end of iteration k. Note that for the pairs of message words that will be used as control 
bytes, since we set ourselves in the second preimage attack case, capital letters means that we 
have one control byte (we insert a difference for this block) and small letters means that we have 
no control byte (no difference inserted for this message block). 
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Abstract. Edon80 is a recent stream cipher design that has advanced 
to the third and last phase of the eSTREAM project. It has remained 
unbroken and untweaked since it was designed and submitted to eS- 
TREAM. It is now one of the 8 final hardware candidates. In this paper 
we cryptanalyze the cipher by describing a key recovery attack. The com- 
plexity of the attack is around 2 69 simple operations for a keystream of 
similar length. 

1 Introduction 

Edon80 is a recent stream cipher design, described in [I], that was submitted 
to the eSTREAM project. It uses a novel approach in stream cipher design, 
concatenating 80 basic building blocks derived from 4 different quasigroups of 
order 4. A quasigroup is basically a Latin square, a very simple combinatorial 
object. 

The design has received a lot of attention and much work has been done 
based on Edon80. Regarding security, Hong observed in |2| that with some small 
probability, the period of the keystream sequence could be quite small. This was 
further studied by the designers themselves in j3J and later also in the paper 
|Q. However, this property could not be exploited in any kind of attack. A 
theoretical treatment of the quasigroups used in Edon80 is given in JSJ. Finally, 
from an implementations point of view, it was shown in jOJ that Edon80 can be 
implemented using less than 3000 gates. Even though the eSTREAM project has 
allowed tweaks, the Edon80 construction has remained untweaked since it was 
designed and submitted to eSTREAM. However, due to the probability of short 
periods, the designers has introduced a limitation in the number of keystream 
bits that can be produced per key/IV pair. This limitation is 2 48 bits and was 
proposed in (Zj , when entering the second phase of eSTREAM. 

The small implementation and the fact that the construction has remained 
untweaked are the main reasons for the success of Edon80 in eSTREAM - its 
advancement to the third and last phase phase of the eSTREAM project. It is 
now one of the 8 final hardware candidates. 

In this paper we cryptanalyze the cipher by describing a key recovery attack. 
The complexity of the attack is around 2 69 for a keystream of similar length. 
The design philosophy is not completely broken. A design using, say, 160 con- 
catenated quasigroup operations would be out of scope of the new attack. On 
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the other hand, such a change of the design would double the implementation 
cost, making such a design much less interesting. 

The new attack to be presented is based on exploiting some periodicity inside 
the generator. Using the fact that some elements will repeat with large proba- 
bility, we can build a kind of test to find out the correct value of the key bits 
used at the end of the concatenation. This leads to a key recovery attack, where 
we may vary some parameters and obtain a trade-off between required length of 
the received key stream and the computational complexity. 

The paper is organized as follows. In Section 0 we describe in more detail the 
stream cipher design Edon80. In Section 0 we summarize some previous work 
relating to the security of Edon80. In Section 0] we then give the basic ideas of 
the new attack, followed by a more detailed analysis in Section 0 In Section 0 
we discuss how the attack can be efficiently implemented. In Section 0 we verify 
some of the claims by presenting simulation results. Finally, in Section 0 we 
derive some possible attack complexities and then we conclude. 

2 Description of Edon80 

In this section we give a description of the Edon80 stream cipher. An additive 
synchronous stream cipher is built around a keystream generator. A generator 
takes a key K and an IV value (nonce) IV as its input and produces an arbitrary 
long keystream sequence Z = zi, Z 2 , 23 , • • •• The keystream is then added to the 
plaintext in the encryption phase. 

The sizes of the key and IV in Edon80 are 80 bits and 64 bits, respectively. 
The design of Edon80 is based on string transformation using 4 quasigroups of 
order 4 denoted (0 < j < 3). The internal updated state consists of 80 

memory cells of two bits each. Each memory cell, referred to as an e-transformer 
*i (0 < i < 79), holds 2 bits representing a value between 0 and 3. The 80 
e-transformers are connected in series and the result from is used as input to 

The 80 bit key K is divided into 40 2-bit values K = KqK\ . . . K 39 each 
represented as a value 0 < Ki < 3. The quasigroup (Q, *,), (0 < * < 79) used by 
e-transformer *; is given by 



The quasigroups used in Edon80 are given in Figure 0 

Let the value in at time t be denoted a, ;t . Then the values are updated as 


{ 


no,o = 0,0 *0 0 , 

aoj = ao,j-i *0 (j mod 4), 

ffi,o = *i a,i- qo, 



1 < j, 

1 < i < 79, 

1 < i < 79, 1 < |, 


where denotes the initial value of *i for 1 < i < 79 at the beginning of the 
keystream generation phase. 
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•o 0 12 3 

0 0 2 1 3 

1 2 13 0 

2 13 0 2 

3 3 0 2 1 


•i 0 12 3 

0 13 0 2 

1 0 12 3 

2 2 0 3 1 

3 3 2 1 0 


•2 0 12 3 

0 2 10 3 

1 12 3 0 

2 3 0 2 1 

3 0 3 1 2 


• 3 0 12 3 

0 3 2 1 0 

1 10 3 2 

2 0 3 2 1 

3 2 10 3 


Fig. 1. The 4 quasigroups used in Edon80 


Summarizing, the infinite period 4 string 0, 1, 2, 3, 0, 1, 2, 3, 0, .. . is transformed 
by *o and the resulting string is transformed by *i etc. The keystream is obtained 
by taking every second value produced by *79, see Figure |3 


079,0 | 079,1 | 079,2 | 079,3 | 079,4 | 079,5 | 079,6 | 079,7 | 079,8 

Fig. 2. The quasigroup string e-transformation in keystream generation mode 


For simplicity, we adopt the notation Z 
keystream, where 


= 0-79, t t> 0, 


= Zi,Zs,Z 5 ,... 

t odd. 


the received 


A schematic picture of Edon80 is given in Figure 01 Remember that only every 
second output is used in the keystream. 


0, 1, 2, 3, 0, . . . — f*o] — “*0 — H — ■01— keystream 


Fig. 3. The keystream generator Edon80 


The initial state of Edon80, (aQ. ai, . . . , 079), is determined by the key K and 
the IV through an IV setup process. Exactly how this is done is not relevant in 
our analysis and we refer to the design document P for a detailed description 
of the IV setup. We can assume that the mapping from the 80-bit key and the 
64-bit IV to the initial state ao, ai, . . . , (Z 79 is a random mapping. However, the 
attack will still be applicable even if the mapping would be shown to suffer from 
some nonrandomness. 

Edon80 is designed to be a hardware efficient stream cipher. The hardware 
description is slightly different from the algorithmic description given above. In 
order to output 1 bit / clock, the implementation uses a second 2-bit memory cell 
in *i which stores the output from **_!• Though, in 0 the authors demonstrated 
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an implementation which does not use this extra memory cell. The implemen- 
tation required only a gate count of about 3000 but the output was decreased 
to 1/80 bit/clock resulting in a throughput of just a few Mbit/s. However, this 
small implementation cost shows that Edon80 is a very interesting candidate for 
a stream cipher suitable for constrained environments. 

3 Previous Analysis of Edon80 

In this section we review the previous results and known properties of Edon80 
that will be used in our cryptanalysis. The most important property that will 
be exploited in the attack is the relatively short period of Edon80. In the design 
document [TJ it was stated that the expected average period of the keystream 
is about 2 103 . In Hong argued that there are many key /IV pairs that pro- 
duce a keystream with undesirably short period. Referring to Figure El using 
exhaustive search all d - row key/state pairs of period p = 4,8 and 16 was found. 
Extrapolating the results to 40 rows, and then repeating the same key for the 
lower 40 rows, it was concluded that there are many key/IV pairs that produce 
a keystream with relatively short period. As an example, it was claimed that 
there is a 2“ 75 probability that a key/IV pair generates a keystream with period 
2 61 . In response to these results, the designers claimed in (3] that the values 
given by Hong was actually underestimated and that the probability of gener- 
ating a keystream with period less than 2 61 was 2 -18 62 . Thus, with a total of 
279.62 kpg we can ex p ec t to find a sequence with period less than 2 61 . Further, 
it was concluded that the average period of Edon80 is 2 91 . A more detailed 
investigation of the periods was given in Each e-transformer increases the 
period of the incoming string by a factor 1, 2, 3 or 4. Let X, denote the factor 
by which e-transformer ** increases the period. Considering several consecutive 
e-transformers, it was shown that the probability distribution for Xj converges 
to the stationary distribution 


( 1 2 3 4 N 
i i l n _5_ 

V 4 4 32 32 / 


with expected value E(X) = || and variance a 2 = V (X) = 12I|. Furthermore, 
let 2m be the total number of e-transformers and let P^m be a random variable 
for the period after 2m e-transformers. Then when m — > oo, probability density 
function (pdf) /p 2m can be approximated by the continuous function section 2] 


fp 2 m (s) = ~ 


(ln(s) - 1.535086m) 2 ' 
0.984648m 


0 < s < oo. (1) 


We refer to |I| for more details. Despite the relatively high probability of short 
periods, it has until now been unclear how to use this to obtain information 
about the key. 
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4 A Key Recovery Attack - Basic Ideas 

In this section we give the ideas behind our key recovery attack on Edon80. The 
details are then given in Section El We assume a known plaintext scenario i.e., 
the keystream sequence Z — z%, Z 3 , z&, . . . is known to the adversary. The basic 
ideas behind the attack are based on the following properties of the cipher, 

— The quasigroup (0 < j < 3) used in e-transformer ** (0 < i < 79) is 

completely determined by the key. For example, if we know which quasigroup 
is used in the last e-transformer, we also know 2 key bits. 

— The period of the string produced by can be expected to be moderately 
small for small i. In fact, some internal values (output from e-transformers) 
will repeat with large probability due to the periodicity. 

We visualize the attack in Figure E| by considering a matrix with elements a l ,j n 
(0 < i < 79, t < j < t + u + v), u, v to be defined later. Every column here 
corresponds to one specific time instance t. Also, the ith row corresponds to the 
ith e-transformer. Thus we have 80 rows in the Edon80 description. A restriction 
to the first B rows simply corresponds to an Edon instance with only B e- 
transformers. 

Looking at a specific value dij , this value is calculated from its neighbours to 
the left and above. I.e., the value at position (i. j) will depend on all values at 


t t + 1 t + 2 t+u t+u - (-1 t+u+2 t+u+3 t+u+v 

□HZI-HZh- ■ ■ _ _ 

- - -{j] 



Fig. 4. Visualization of the attack idea 
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positions (i' ,f) for i' < i and f < j, i.e., all values above and to the left in the 
matrix. 

In order to set up the attack, we select the B top rows as one part (upper part) 
and the remaining rows below as a second part (lower part) of the e-transformers. 
Consider two vectors, X and Y of length v = A and u = Y respectively, 

X = (x\,x 2 , . . . , x v ), 

Y = (yi,y 2 ,...,y u ), 

Xi,yj £ {0, 1,2,3},*= 1,2 ,v\j = 1, 2, . . . , u, with the values located as shown 
in Figure 0 For Edon80, we then have B = 80 — u — 1. As can be seen, the 
X = (xi,x 2 , ■ ■ ■ , x v ) vector is simply v symbols coming out of the chain of B 
e-transformers starting from some predetermined time. The Y = (j/i, y 2 , . ■ ■ , y u ) 
can be characterized as the values needed to compute the internal state of the 
second part of the e-transformers. 

Each quasigroup transformation will increase the period of the initial string 
by a factor of 1, 2, 3 or 4. Thus the period, denoted Pi, of the sequence produced 
by *i is given by 

p. = 2» 3 w, (2) 

for some yi, y 2 £ 21 Let Pb be the period of the sequence produced by the 
upper part of the e-transformers, giving output corresponding to the vector 
X = (xi, x 2 , . . . , x v ). Then, the matrix corresponding to time instance t and time 
instance t + kPs , k — 0, 1, 2, . . . will have the same values in the e-transformers 
*i for i < B. More specifically, and which will be used in the attack, the vector 
X will have the same value in all considered time instances. 

Assume for a moment that the key bits used to determine the quasigroups in 
the second part are known. With in total u + v values in the vectors X and Y, 
we consider the (u + v )/ 2 known keystream symbols that are directly below X 
and Y, see Figure 01 again. Using the knowledge of these keystream symbols, the 
number of possible combinations of the two vectors X, Y will be reduced from 
4 U+V to roughly 2 U+V . The idea is to choose u and v such that v > u. This means 
that not all X vectors will be possible in the set of possible X, Y pairs. Thus, 
the outcome of this part is a set Pk such that 

r k = {X : there exists (X, Y) matching z t+k p D , z t+k p D+2) ■ ■ ■ z t +kP B +u+v} ■ 

Finally, we combine this with the fact that the vector X = (x\, x 2 , . . . , x v ) 
will be the same at time instances t and t + kPp. This means that X must appear 
in all sets r k and hence in the intersection of them. The procedure should now 
be clear. 

For each choice of the 2u + 2 key bits used to define the quasigroups in the 
lower part, we determine the sets r k , for k = 0,1,2,.... We take the intersection 
between the sets obtained so far, and continue until the intersection is empty. 
If we eventually receive an empty intersection, the chosen value of the key bits 
is discarded. On the other hand, if at the end there is only one vector X in the 
intersection, then we assume that we found the correct key bits. The number of 
key bits that are guessed in this attack is 2it+ 2. When we know these key bits, 
the remaining part of the key could be exhaustively searched. 
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5 A More Detailed Analysis of the Attack 

In this section we give a more detailed analysis of the different parts and param- 
eters used in the attack. The parameters that will be covered are 

— Guessing the correct period P B . 

— The length of the vectors X and Y. 

— The number of time instances that has to be considered in order to discard 
a wrong key candidate. 

5.1 The Period P B 

As stated in @ , the period of the sequence after B e-transformers have the form 
P B = 2 /Jl 3 ;i2 for some It is clear that the X vector will repeat the same 

values if the distance between two matrices as described in Figure 0]is a multiple 
of the period. So we will assume a distance P' B and the repetition of the value 
for the X vectors will be true if the actual period is a factor, i.e., if P B \P B . 
We denote the probability that P B \P B by . This value is, according to 0, 
approximately calculated as 



(3) 


where fp 2m (s) is defined in (£3) . 

Recall that X \ denoted the factor by which e-transformer *$• increases the 
period. In Section 3 we saw that the probability distribution for Xi converges to 
the distribution 



This gives us a rough idea of the expected period. For example, if B = 64 we 
can expect around 16 of the factors being 1, around the same number being 
2, around 22 factors being 3, and around 10 factors being 4. So for B = 64 
we can set P B = 2 36 ■ 3 22 and there is a fairly large chance that P B \P B . The 
actual probability for different values of the period deviated slightly from the 
above since the probabilities are not as the asymptotic ones for low values of i. 
However, it can all be computed numerically. 

5.2 The Length of Vectors X and Y 

Assuming that we have chosen a value B = 80 — u — 1 and an assumed period 
P B such that P b \P b , we now consider the choice of v. In order to create a set 
.Tfc where not all X vectors appear we need to choose v > u. We denote the 
difference by d, hence 


v = u + d. 


The simplest approach is then to start at time t and move forward. We assign 
all 4 2 possible values to yi,y 2 - We can then calculate everything below these 
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positions in Figure El As we already know the value of zt+ 2, only 4 of the possible 
candidates for yi,y2 will survive. For each surviving value of 2/1 , 2/2 , we assign all 
possible values for 2/3 5 2/4 ? compute the values below and check against the known 
value of zt+4. We will have 16 possibilities for the (yi- yi, 2/3, JM) vector. After 
finishing the Y vector we just continue in this fashion with ay . i = 1 . . . . x v . The 
set of possible assignments of (Y, X) is then 2 U+V . The complexity of calculating 
this set in this basic way is then roughly 2 U+V . Finally, the Y values are stripped 
off and the result is the set TV In an actual implementation we can make the 
constant factor in the algorithm very small. This will be described in more detail 
in Sectional 


5.3 The Number of Intersections Needed to Discard a Key 
Candidate 

The total number of possible X vectors is 4 V . However, in the algorithm, using 
the knowledge of the keystream zt, the vector X can only take 2 U+V values. Thus, 
using v = u + d, only a fraction l/2 d of all values will be possible. Actually, in 
practice it is slightly less because some X vectors may appear twice (for different 
Y vectors) . If we put 



we see that we need about K ss 2^ sets /\, k = 0, 1, . . . , K — 1 to get an empty 
intersection. At least, the average number is around 2 v/d. As an example, for 
the choice v = u + 2 (of = 2) there can be at most 25% of all the X vectors in 
TV Since the number of possible X vectors is 4 V we expect that we do not need 
much more than v sets. 

In general, a higher value of d will increase the computational complexity but 
since the reduction of possible X values in an intersection is much higher, it will 
lead to a smaller number of required intersections and hence a shorter required 
keystream length. 


5.4 Computational Complexity 


Let us summarize the computational complexity of the attack. We assume first 
a value B = 80 — u — 1 and P' B such that Pb\P b - There is an error probability, 
1 — dtp/ that this assumption is not true. 

Then we guess 2u + 2 key bits corresponding to the last u + 1 quasigroups 
used. For each such key the complexity of checking it is then roughly 2 U+V ■ K. 
Since v = u + d this results in a total complexity of about 


u + d 
d ' 


After recovering 2u + 2 key bits one can either reconstruct the sequence after B 
e-transformers and apply the same attack again, now with much less complexity; 
or simply do an exhaustive key search on the remaining key bits. 
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6 Algorithmic Aspects 

In this section we describe some algorithmic aspects of the attack and show that 
the complexity is based on very simple operations, much faster than the oper- 
ation of verifying a key candidate in exhaustive key search. The considerations 
here relate to the part of the attack that calculates the sets. 

Let (clb+ i,tj . . . , 0-79, t) be the state of the lower part of Edon80 at time 

t and denoted S+ In Figure 0| this corresponds to a column starting below an Xi 
value. 

In a straight forward algorithm we save all possible states St and the cor- 
responding X vector. Each time a new <279^ (t even) is introduced, each state 
St with corresponding X vector will produce 4 new states. Each new state will 
have a corresponding X vector with 2 additional entries. Thus, at the end of the 
algorithm, we will have 2 U+V possible states and X vectors. We can note that 
the last step is the most expensive step. It will cost C ■ 2 U+V where C is the cost 
for making 2 u + 2 table lookups. This constant can be significantly reduced by 
using a slightly different algorithm. 

We can take advantage of the following observation. Since the length of the 
state vector S t is u + 1 there are in general 4“ +1 possible values for the state 
of the lower part of Edon80 at any time. However, looking at the attack as 
illustrated in Figure 0 where we have a given keystream sequence zt,zt+ 2, ■ ■ ., 
we observe that at any time instance (with a received keystream symbol) only 
2 2 r«/ 2 l different states of the second part of Edon80 are possible. 

This property comes from the fact that we know every second of the values 
z t = <279, t . Knowing 0179+ and 079,2+2 and allowing 4 possible values for 079,2+1 
will give 4 possibilities for the pair (077,2+2, 0178, *+2)- Knowing 079,2, <279.1+2 and 
079,2+4 and allowing 16 possibilities for (079,2+1 , <279,1+3) gives 16 possibilities for 
the vector (075,2+4, 076,2+4, 0,77, 2+4, 078,2+4) etc. 

We can from the known keystream compute all 2 U possible states for times 
t + u + l,t + u + 3 ,.... We can then obtain a trellis by including all possible state 
transitions from time t + u + 1 to t + u + 3 and so on. A state transition from 
time t + u + 1 to t + u + 3 can be labelled by the values of (aq, aq) giving rise to 
that transition. This way of modelling the lower part of Edon80 is useful when 
we implement the algorithm for computing the fy, sets for a given choice of key 
bits. 

We can divide the X vector in two equally sized parts, X = (Xl, X 2 ), where 
X\ = (xi,X2, ■ ■ ■ , x v /i) and X 2 = (aq/ 2 +i, aA/2+2, ■ ■ ■ ,x v ). We first assign Y and 
compute possible values of Y as before. This is actually equivalent to computing 
the state of the second part of Edon80 at time t + u, so when we continue 
we do not keep the value of Y but instead we keep the state St at the time 
we are considering. We continue as before, but only over the X\ vector. This 
results in a set of possible X\ vectors and their ending states S t + U + V / 2 . The 
complexity of calculating this set is then C ■ 2 U+V / 2 . Next, for every choice of the 
2“ possible states S t+U+V / 2 at time t + u + v/ 2, we assign all possible values for 
x v /2-\~x ) x v j2-\-2 5 • ■ and create a second set of all possible X2 vectors and their 
starting states S t+u + v /2- The complexity of calculating this second set is also 
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C ■ 2 U+V /' 2 . Thus, calculating the two sets is much faster than finding i"*, in the 
straight forward algorithm. 

The bottle neck in this algorithm is to create from the two sets. This 
is done by selecting all possible combinations of X\ and Jfy where the ending 
state of Xi and the starting state of X 2 are the same. With the two sets sorted 
according to the states S t+u+v / 2 , the set Tfc is easily obtained. Since the size 
of ifc is about 2 U+V this does not change the asymptotic complexity but the 
constant term in the complexity is very small. Each operation consists of just 
concatenating X\ and X 2 , a very simple operation. 

The memory requirement in the algorithm is moderately small. We need about 
2 U+V words, where each word represents an X vector. 

7 Simulation Results 

In order to verify the attack, it has been simulated on a reduced version of 
Edon80. We have produced a keystream exactly as in Edon80 with the modi- 
fication that only 24 e-transformers was used, i.e., a variant logically denoted 
Edon24. We have investigated the case when the assumed period P' B is such that 
Pb I P' B ■ The simulations target the number of possible values for the vector X 
that are still possible after intersecting the k' sets I\, k = 0, 1, . . . , k' . Table □ 
shows the average number of remaining elements for different values of k! when 
v = u + 2, i.e., when d = 2. As stated in Section 15.41 we expect that we need 
about v intersections of sets fy. For all simulated values of u we have in average 
only 0.1 possible value for the X vector left in fy after v = u + 2 intersections. 
This verifies our claim. Table El shows the average number of remaining elements 
when d = 6. As expected, the intersections produce an empty set with much 
fewer sets than in the case with d = 2. 


Table 1. The average number of possible values for X left in the intersection of 77 , k = 
0, 1, . . . , k! sets for different choice of u, when d = 2 




Y\=u 

k! 

4 

5 

6 

7 

8 

9 

0 

909.3 

3597.7 

14534.2 

57953.3 

232281.4 

927796.6 

1 

201.6 

788.9 

3226.0 

12823.0 

51486.9 

205105.3 

2 

45.8 

172.3 

716.5 

2837.0 

11407.7 

45379.9 

3 

10.1 

37.7 

159.0 

626.2 

2526.2 

10033.2 

4 

2.3 

8.3 

35.2 

138.4 

558.9 

2223.5 

5 

0.5 

1.9 

7.8 

30.6 

124.2 

493.0 

6 

0.1 

0.4 

1.7 

6.8 

27.7 

109.2 

7 

0.0 

0.1 

0.4 

1.5 

6.1 

23.9 

8 

0.0 

0.0 

0.1 

0.3 

1.3 

5.4 

9 

0.0 

0.0 

0.0 

0.1 

0.3 

1.1 

10 

0.0 

0.0 

0.0 

0.0 

0.1 

0.2 

11 

0.0 

0.0 

0.0 

0.0 

0.0 

0.1 

12 

0.0 

0.0 

0.0 

0.0 

0.0 

0.0 
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Table 2. The average number of possible values for X left in the intersection of 7 \,k = 
0. 1. .... 7' sets for different choice of u, when d = 6 



\Y\ = u 

k! 

4 

5 

6 

7 

0 

16265.1 

64310.8 

260222.9 

1040318.8 

1 

253.0 

983.8 

4036.7 

16164.6 

2 

3.8 

15.2 

62.9 

250.0 

3 

0.1 

0.2 

0.9 

4.1 

4 

0.0 

0.0 

0.0 

0.1 

5 

0.0 

0.0 

0.0 

0.0 


Moreover, our implementation also always found the correct key and discarded 
all false key candidates using our algorithm. 

8 Estimating the Attack Complexity 

As explained before, we have several parameters that we can choose, giving 
different parameters for the attack. Basically, there is a trade-off between the 
required length of the received keystream and computational complexity of the 
key recovery part. For example, choose d = 2 and u = 9 as simulated above, 
i.e. B = 70 in the Edon80 case, and an assumed period of P' B = 2 40 ■ 3 24 . Then 
the computational complexity is low, roughly 2 44 but the required keystream is 
large, roughly 2 78 -11, where the factor 11 comes from the fact that we need to 
intersect at most 11 + 1 sets TV With the low computational complexity we can 
of course increase the d parameter and reduce the required keystream to roughly 
2 78 . Finally, we must include the error probability. An error occurs if P' B is not 
a multiple of the true period Pb ■ We simply use ® to estimate this probability. 
A numerical calculation gives that the period is below 2 78 with probability more 
than 1/2. There may be some possible periods below 2 78 which does not divide 
P' B . On the other hand, we can try out different (the most probable) forms of P' B 
in our attack with only a slight increase in complexity. So here we can assume 
that the error probability is about 1 — ap^ w 1/2. 

Clearly, such a long received keystream sequence as 2 78 is not desirable, even 
if the computational complexity is low. We also see that allowing the error prob- 
ability to be quite close to 1 might be beneficial. We will then repeat the attack 
a~] times and the requirement is now to receive aj,} different keystreams (ob- 
tained from different IV values). The computational complexity, T, grows to 

T = otp} ■ 2 4 "+ d + 3 • — ■ 

Though in average we only need slightly less than K intersections, there will be 
key candidates that need more intersections before they can be discarded. On 
the other hand, it is not crucial that all wrong key candidates are discarded. If 
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we end up with a set up possible keys then these keys can be tested individually 
at the end. This will not affect the computational complexity. With P' B ■ K 
keystream bits, we will have K + 1 sets I&, k = 0,1, ... ,K to intersect. This 
will keep the probability of false alarm low. Thus, the number of keystream bits, 
Div, that are needed from each IV is given by 


The total number of keystream bits, D tot , is given by 
_i , 2 u + 2d 


The trade-off parameters in the attack are u, d and P' B . The attack complex- 
ities are all functions of these values. We consider two cases. 


I There is no restriction on the amount keystream that can be generated by 
one key/IV pair. 

II We respect the limitation given in (2J , i.e., only 2 48 keystream bits can be 
generated before reinitialization with a new IV. 

In Table 0we tabulate some possible values of T, D/y and D tot for the two differ- 
ent cases. With no restriction on the keystream per key/IV pair the parameter 
choice u = 13, d = 4 and P' B = 2 58 gives about 2 69 for both computational 
complexity and total amount of keystream. We conclude that we have an attack 
requiring a total of 2 69 received keystream bits and 2 69 simple operations to 
recover the key. 

If we respect the 2 48 limit, choosing parameters u = 9, d = 6 and P' B = 2 45 
will allow us to recover the key with in total 2 72 4 keystream bits and 2 714 
simple operations. In many situations it is difficult to argue that we can have 
a computational complexity that is lower than the number of keystream bits. 
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An adversary observing the keystream is likely to need at least one operation 
per observed keystream bit. On the other hand, only very few keystream bits 
are actually used in the attack. If the adversary can randomly access keystream 
bits, the computational complexity can be allowed to be much smaller than the 
keystream. 

Comparing the attack to an exhaustive key search, we can note that an ex- 
haustive key search would require computing the key /IV setup consisting of 160 
cycles and then additionally 80 cycles to get the 80 first output bits. Every cycle 
must compute 80 quasigroup operations. So a software implementation would 
require 240 • 80 quasigroup operations, i.e., more than 2 14 operations to test one 
key. Thus, our attack requiring roughly 2 69 simple operations is about 2 25 times 
faster than a software implemented exhaustive key search. 

9 Conclusion 

An attack on Edon80 has been presented. It takes advantage of the relatively 
short period inside the state of the cipher. By knowing that some values in the 
internal state will repeat with high probability after a certain amount of state 
updates, it was possible to determine several key bits used in the update of the 
last part of the state. The required number of keystream bits as well as the total 
complexity is around 2 69 , if we allow each key/IV pair to generate about 2 61 
keystream bits. If we consider the restriction put by the designers i.e., only 2 48 
keystream bits can be produced by each key/IV pair, then the total complexity 
is about 2 72 simple operations with about 2 47 bits from each key/IV pair. 

Adding just a few more quasigroup operations to the chain of 80 is not enough 
to counter the attack, but doubling this number to 160 would be sufficient to 
resist the attack. However, such a modification comes at the cost of doubling the 
hardware (and the gate count). 

We do not exclude the possibility of improving this attack by for example 
finding more efficient ways of computing the intersection of // sets. Since we 
are guessing a lot of key bits, there might be a possibility to do something more 
efficient. Some minor improvements to the described attack have already been 
found, and will be described in the full version of this paper. 
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